O’Reilly 2024 State of Security Survey reveals critical AI skills gap

O’Reilly has released its 2024 State of Security Survey report, uncovering a stark disconnect between rapidly evolving threats and the readiness of security teams to combat them. The comprehensive study explores the current security landscape, identifies emerging threats, and assesses how organisations are adapting their security strategies and workforce development to meet these challenges.

Among the notable findings is a critical AI security skills gap: 33.9% of tech professionals report a shortage of AI security skills, particularly around emerging vulnerabilities like prompt injection. This highlights the need for specialised training as AI adoption continues to accelerate across industries.

Cloud security expertise also emerges as a significant concern. Despite cloud computing’s two-decade presence, 38.9% of respondents identified cloud security as the most significant skills shortage. This revelation underscores a lag in expertise as organisations continue their cloud migration journeys, potentially leaving them vulnerable to cloud-specific security threats.

Looking ahead, AI-enabled security tools rank as the top priority for the coming year (34.4%), with security automation following closely behind (28.2%), signalling a strong push toward automation in cybersecurity defences.

“Our global survey underscores a security landscape in flux, with critical skills gaps emerging in AI and cloud security,” said Laura Baldwin, president of O’Reilly. “As cyber threats become increasingly sophisticated, it’s clear that continuous, high-quality training is no longer optional; it’s essential for safeguarding our digital future. Organisations must prioritise ongoing up-skilling to stay ahead of evolving risks and build robust defences.”

Additional key survey findings highlight the following trends in the current security landscape:

Phishing remains top threat: In an era of sophisticated cyberattacks, 55.4% of respondents still cite phishing as the primary security concern, followed by network intrusion (39.9%) and ransomware (35.1%). The persistence of a “low-tech” threat emphasises the critical need for comprehensive employee training.

Security measures implemented: A majority (88.1%) of tech professionals have adopted multi-factor authentication, 60.1% have implemented endpoint security, and 49.2% have adopted a zero trust model.

Certification gap: Despite 51.3% of companies requiring certifications for hiring, 40.8% of security team members remain uncertified. This gap is pronounced among incident responders (70% uncertified) but less so for CISOs (33.3% uncertified), highlighting varying certification cultures across security roles. CISSP and CompTIA Security+ are the most required and desired credentials.

Continuous learning imperative: 80.7% of employers mandate continuing education for security professionals, with 32.2% requiring 41 or more hours annually. This emphasis on ongoing training reflects the rapidly changing threat landscape.

Ongoing training needs: Security professionals emphasise the importance of continuous learning, utilising online courses (88.8%), books (76.6%), and videos (75.2%) to stay updated on best practices and emerging threats.

The survey also found that better security awareness training for all employees (40.1%) was identified as the most crucial step in improving an organisation’s security posture, outranking additional staffing and better security tools.

“Our survey reveals a seismic shift in the security landscape—it’s no longer just an IT concern, but a company-wide imperative,” said Baldwin. “While certifications like CISSP remain crucial, we’re seeing critical skills gaps in cloud and AI security. To truly safeguard our digital future, we need high-quality, continuous learning that goes beyond exam preparation and empowers every employee to be a frontline defender against evolving threats.”