AI/ML, Security Staff Acquisition & Development, Leadership, AI benefits/risks

Most CISOs now own AI security: Here’s what that means for your business

Abstract Representation of People Connected in a Global Network and Digital World

The CISO’s job has always been challenging, but what we're seeing today is a fundamental shift in their role. Not only are they being asked to do more with less, but they’ve also been handed a whole new mandate due to their increasing responsibilities for AI security and data privacy. 

HackerOne’s new research reveals that 84% of CISOs are now responsible for AI security and 82% for data privacy. This means CISOs are asked to secure technologies that are evolving at breakneck speed. According to Stanford’s 2025 AI Index, 78% of organizations reported using AI in 2024, up from just 55% the year prior, highlighting a dramatic leap in adoption in just one year. The rapid adoption, often driven by different parts of the business eager for a competitive edge, creates entirely new attack surfaces.

Even the most skilled internal teams may not have the specialized knowledge to address these unique vulnerabilities on their own.

CISOs don’t need a bigger team, they need the right partner

This is where a strategic approach to offensive security becomes critical. I’ve spoken with numerous CISOs who feel the weight of these new duties and need to find the right external expertise to address internal security blind spots. The answer lies in leveraging the ingenuity of the global security community. 

While many CISOs are already using some form of crowdsourced security, our report shows that this approach is significantly boosting detection where internal expertise may be scarce. For example, 88% of CISOs find crowdsourced security effective in discovering and eliminating data privacy vulnerabilities, and 81% find it effective in addressing AI-related threats. 

This proves crowdsourcing is no longer a one-off solution, but part of a larger framework for addressing today’s most pressing security challenges. This signals a shift towards Continuous Threat Exposure Management (CTEM) in which organizations move from periodic testing to continuous, risk-based validation of their attack surface.

Unlocking the '15% advantage'

HackerOne’s research found that the true differentiator is "the 15% advantage." This is the top 15% of leaders who are "all in" with a comprehensive crowdsourced security strategy. CISOs who fully implement crowdsourced security are 2x as likely to find it very effective compared to partial adopters.

These high-performing CISOs are using the full range of tools, from bug bounties to vulnerability disclosure programs (VDPs), red teaming, and pentesting. By layering these approaches, they are combining AI with the ingenuity of security researchers to find and eliminate security, privacy, and AI vulnerabilities across the software development lifecycle.

This approach is also cost-effective, with bug bounties offering a pay-for-results model, making it a strategic way for CISOs to proactively secure these critical new attack surfaces.

Overcoming the talent gap

For many enterprise leaders, a key barrier to adopting this full-scale offensive security program is the persistent talent shortage. Our survey found that 39% of CISOs cite a lack of skilled personnel as a major challenge. Globally, the cybersecurity industry urgently needs about four million more professionals to fill current roles, according to the World Economic Forum, highlighting the critical lack of qualified professionals available to fill vital roles. However, crowdsourced security offers a powerful, scalable solution to this problem. It is a cost-efficient model that allows organizations to access on-demand, specialized expertise from thousands of vetted researchers. Tapping into the diversity of the crowd helps leaders scale their security capabilities to match the speed and complexity of modern attack surfaces without being constrained by the limits of internal teams.

Ultimately, organizations must build a proactive, resilient security posture that can stand up to future threats. HackerOne research shows that 100% of the leaders who fully embrace crowdsourced security view it as a critical part of their overall strategy. 

For boards, the case is clear. Crowdsourced security is essential for future-proofing your organization and transforming security from a reactive function into a strategic, board-level advantage.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Blake Entrekin

Blake Entrekin is Deputy CISO at HackerOne.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds