CIOs brace for AI-led cyber attacks but feel unready

Managed security services provider LevelBlue has published research suggesting many CIOs expect AI-driven cyber attacks in the near term, but far fewer believe their organisations are ready to respond.

The report, Persona Spotlight: CIO, found 51 per cent of CIOs think AI-powered attacks are likely within the next 12 months. Only one-third said their organisation is prepared to manage the threat.

The findings add to a growing body of industry research pointing to a widening gap between the pace of AI adoption and the maturity of cyber risk management. CIOs often lead programmes that introduce automation and data-driven systems into core operations. Those changes can expand attack surfaces and complicate governance.

Confidence gap

The survey suggests CIOs see AI as central to business strategy. Some 71 per cent said their adaptive approach to cybersecurity allows the organisation to take greater innovation risks.

Confidence dropped when respondents assessed their ability to counter attackers using AI techniques. Only 20 per cent said they are highly effective at defending against AI-enabled adversaries. The same proportion said they are highly effective at implementing and using AI to enhance cybersecurity.

Many also expect greater reliance on AI-driven security tooling as threat volumes and complexity rise. Some 72 per cent believe AI-driven tools will be essential to improving detection and response.

Overall, the results suggest CIOs see AI playing a dual role: enabling new digital services while also driving new forms of cyber crime. Yet many do not rate their current controls and processes as strong enough to keep pace.

Enterprise integration

The research points to a shift away from siloed security operations towards deeper integration with transformation programmes. Nearly half of CIOs (49 per cent) plan to prioritise integrating cybersecurity across lines of business and projects in the next 12 months-above the cross-leadership average.

Board-level engagement is also a focus. Some 39 per cent intend to increase boardroom engagement in cyber resilience discussions.

External events appear to be raising cybersecurity's profile in the executive suite. The research found 73 per cent of CIOs said publicised cyber attacks have elevated executive-level discussions.

However, internal constraints remain. Some 47 per cent cited executive leadership not prioritising cyber resilience as a barrier to improvement.

Measurement and alignment were also highlighted as ongoing issues. Fewer than half said key performance indicators effectively link cybersecurity to business outcomes. Almost half (49 per cent) said business risk appetite is not aligned with cybersecurity risk management.

Investment priorities

CIOs reported moderate to significant investment in both "foundational and AI-driven" security initiatives. The report found 80 per cent are strengthening cyber resilience processes across the business, while 78 per cent are prioritising application security.

AI-specific initiatives featured prominently. Some 76 per cent are investing in machine learning for pattern matching to improve threat detection, and 70 per cent are deploying generative AI to counter more sophisticated social engineering attacks.

The results also suggest a shift towards greater external support for high-impact incidents. Over the next two years, 47 per cent plan to work with incident response specialists, compared with 23 per cent in the past 12 months.

Planned use of threat intelligence providers is also rising. Some 36 per cent plan to work with threat intelligence providers over the next two years, up from 26 per cent in the past year.

Supply chain risk

Software supply chain security emerged as a central concern. More than half of CIOs (56 per cent) believe software supply chain attacks are imminent. Only 22 per cent said they have a highly effective view of the software supply chain.

Some 70 per cent reported moderate to significant investment in enhanced software supply chain security.

The findings also addressed whether AI adoption is increasing supply chain risk. Only 25 per cent said AI has introduced additional risk to the software supply chain since adoption.

Operational focus

The report recommends improving executive alignment, operational discipline, and visibility across third-party dependencies. It calls on organisations to educate executive leadership on AI-related risks and opportunities in cyber resilience, and to embed cybersecurity across business functions through top-down alignment.

It also emphasises the value of external expertise for incident readiness and emerging threats, along with stronger visibility and due diligence across the software supply chain.

"CIOs sit at the intersection of innovation and risk. AI presents enormous opportunities to drive efficiency and growth, but it also increases adversary sophistication. Organisations that modernise security operations, strengthen supply chain transparency, and align executive priorities will be better positioned to lead confidently in an AI-driven economy," said Kory Daniels, Chief Security & Trust Officer, LevelBlue.