AI reality checks dominate major cybersecurity conference
NATIONAL HARBOR, Md. — In the rapidly evolving AI era, one of the most critical responsibilities for CISOs is not reactionary panic, but disciplined risk assessment and steady leadership, according to cybersecurity experts speaking this week at the Gartner Security & Risk Management Summit.
“Don’t panic,” advised Katell Thielemann, Vice President Analyst at Gartner, during a session focused on the implications of AI for the security of cyber-physical systems, including industrial control environments.
While acknowledging the pace of technological change, Thielemann emphasized that organizations still have practical, immediate steps they can take to reduce exposure. “Yes, things are changing fast,” she said, noting that straightforward measures such as isolating critical systems from the internet and tightening oversight of remote access can deliver significant security gains.
The discussion comes as newly released AI models from companies such as Anthropic and OpenAI have raised concern across the cybersecurity community. These systems, reportedly capable of identifying software vulnerabilities at unprecedented speed, are reshaping both defensive and offensive cyber capabilities. In response, vendors and consultants have rushed to offer solutions—though experts warned that not all guidance reflects practical or necessary improvements.
Dennis Xu, another Gartner Vice President Analyst, noted that the real shift introduced by advanced AI systems is not entirely new types of attacks, but rather the acceleration of existing threats. “What does this change? Velocity and volume,” he explained. “Attackers are coming at us much faster, and within the next 12 months, at a significantly higher scale.”
Despite this, Xu urged security leaders to maintain focus and perspective. His guidance was simple but firm: “Don’t panic—and communicate.”
He stressed the importance of keeping executive leadership and boards informed that cybersecurity is entering a fundamentally different operational phase. At the same time, he encouraged CISOs to leverage this shift as an opportunity to advocate for stronger security budgets and more strategic investment.
However, Xu cautioned that core defensive priorities remain largely unchanged. Organizations should continue to concentrate on asset visibility, exposure management, and prioritizing patching efforts for critical systems rather than attempting to chase every emerging threat trend.
During one session, Xu asked attendees how many organizations had formally defined their “minimum viable operations”—the essential systems required for business continuity. When few hands were raised, he pointed to this gap as a fundamental weakness.
“I don’t want you to spend six months on it,” he said, “but it’s something you should have. It creates a shared language for understanding what truly matters, so security decisions can be prioritized where they count.”
Between AI Hype and Operational Reality
Across the conference, Gartner analysts also highlighted a growing disconnect between AI marketing narratives and enterprise reality.
Major AI providers, including OpenAI and Anthropic, continue to promote premium tools as transformative solutions for complex business workflows. However, organizations are increasingly discovering that these systems can be costly, consumption-heavy, and not always aligned with expected productivity gains.
Bart Willemsen, Vice President Analyst at Gartner, noted that many security leaders feel financial and operational strain as budgets shift toward generative AI adoption.
“Security leaders feel underrepresented and under-resourced,” he said, pointing to the evolution of AI pricing models—from seemingly free tools, to per-user subscriptions, and now to usage-based token billing. “Money is being redirected into generative AI platforms at a pace that doesn’t always reflect clear returns.”
He also raised concerns about workforce trade-offs, cautioning organizations against assuming AI can simply replace experienced personnel without long-term consequences.
“For those thinking AI allows you to operate with fewer people, be careful,” Willemsen warned. “Once those experts are gone, you won’t easily get them back.”
As the summit underscored, the cybersecurity industry finds itself at a crossroads: balancing the promise of AI-driven innovation with the enduring need for disciplined fundamentals, operational clarity, and human expertise.
