Walk the floor of any security conference, and you'll hear the same story that AI is transforming threat detection, closing the vulnerability gap, and redefining cyber defence. But the data suggests security professionals aren't buying into the hype as much as vendors might expect.

According to Oliver Spence, CEO of Cybaverse and a former Royal Marine, the cybersecurity industry has a marketing problem, and that problem is making organisations less secure. In this episode of the Security Strategist Podcast, Spencer sits down with Trisha Pillay to examine where security leaders are being misled, why buzzwords are replacing meaningful outcomes, and what organisations should be focusing on instead.

Why AI Falls Short

Research conducted with security professionals at Infosec Security found that 87 per cent of respondents believe AI increases risk rather than mitigates it. Six in ten said their organisation didn't have the resources to manage the threats AI introduces. These aren't the numbers of an industry confidently embracing a new era. They're the numbers of a sector that's been oversold.

Spence puts it plainly: "There's a lot of money from VCs being pumped into cybersecurity, and cybersecurity does marketing extremely well. Which means people end up buying tools. And quite often, tools are purchased, and they barely make it out of the onboarding phase." The hype, in other words, is moving faster than reality, and security leaders are paying the price.

What the Mythos Release Actually Taught Us

To understand where AI hype collides hardest with security reality, look at what happened with Mythos. The frontier AI model was made available to a limited group of organisations through Anthropic's Project Glasswing initially around 12 companies, including Microsoft and CrowdStrike, and later expanded to more security businesses. The intent was to test and validate a security-focused AI capability at the highest level.

Within 24 to 48 hours of Fable's release, the security solution built on Mythos was being released, and someone had already found a prompt that bypassed its controls. Shortly after, the US government restricted access to the model for organisations outside the United States.

For Spence, the lesson isn't that AI is useless. It's that the hype around AI security outpaces what even the best-resourced organisations can actually control.

"If the top security companies in the world, dedicated to testing and securing these AI frameworks, still haven't been able to secure it, how does a smaller mid-market business take on that security challenge?"

His answer cuts against the grain of most vendor messaging that nothing about AI development, including Mythos, has actually changed what organisations should be doing. "If you look at the NCSC's top ten steps, it's all about fundamentals. And if you have those right, you will still be secure from AI-driven attacks." That's not a comfortable message for vendors selling AI-native security platforms, but it's the one the data supports.

Where Security Leaders Are Getting It Wrong

The most common mistake Spence sees is organisations acquiring tools in response to fear rather than strategy. AI marketing is particularly effective at generating that fear, which is exactly why the cycle keeps repeating.

"There's a culture that a product is just going to do everything for you and save your bacon in a time of issues. The magic fairy dust of: buy this product and it solves all your problems."

The result is tool sprawl at a scale most boards don't realise. The average mid-market company runs between 30 and 40 security products. Enterprise organisations frequently exceed 80 or 90. And yet breaches persist. Operational complexity grows. Security teams burn out managing tools rather than managing threats.

Six in ten security professionals surveyed said AI hype was pushing them to fixate on the volume of vulnerabilities rather than how to manage them. That's a direct consequence of marketing designed to create urgency, and it's causing leaders to make reactive purchasing decisions instead of strategic ones.

The fix isn't complicated, but it requires discipline: define the outcome you need to achieve before you look at a single product. "What is the outcome that we need to achieve as a business? Make sure you have those written down. Then look at which tool maps to solving those outcomes." Tool mapping, not tool accumulation, is what an effective security strategy looks like.

The Vulnerability Volume Trap

One of the clearest examples of hype distorting reality is how organisations are handling vulnerability management or failing to. AI has made vulnerability discovery faster and more accessible, both for defenders and attackers. The next wave of AI-enabled attacks, beyond the phishing use cases that became widespread first, is exploitation at scale. AI scanning infrastructure for gaps faster than human teams can identify and close them. That's a real threat but the response many organisations have is to treat every vulnerability finding as equally urgent, which is where the hype machine takes over.

Spence gives a concrete example: a vulnerability scanner might flag four instances of an outdated version of Chrome as four separate critical findings. Teams see four criticals. Boards panic. In reality, there's one action update Chrome. The noise generated by poorly configured tools inflates urgency and slows down the teams trying to respond.

"People can get so overwhelmed and go, there's so much to do here, it's going to be impossible. But it's about putting a system and structure in place to deal with it. It doesn't matter whether it's one vulnerability or a thousand; it's the same process."

Are you enjoying the content so far?

A healthcare client Spence worked with had a board furious at the IT team over the volume of critical vulnerabilities appearing in reports. The team hadn't done anything wrong. They'd simply never run structured vulnerability management before, so when they started, everything surfaced at once. The fix wasn't faster patching, it was building a process: identify assets, prioritise by actual business risk, remediate in order, track progress. Once the board understood they were closing gaps rather than chasing an impossible zero, the relationship between leadership and the security team stabilised.

Patch management isn't a solved problem. For businesses running tens of thousands of endpoints with hundreds of applications across their estate, keeping up with remediation at scale is genuinely hard. AI-driven discovery doesn't solve that it amplifies the pressure if there's no management system underneath it.

How to Evaluate AI Security Claims 

Given the pace of AI development and the volume of vendor claims, security leaders need a practical filter. Spence's is straightforward with his sentiments like does this address a specific outcome your organisation has already identified as a gap?

Not "does this solve the broad threat category of AI-driven attacks." Not "does this give us AI-powered detection." But specifically, does this map to something we know we need to fix in our environment?

The same filter applies to internal AI adoption. Two questions should come before anything else: what business risk are you accepting by giving AI agents access to your data, and is that access read-only, or can the agent execute actions? The risk profile of those two scenarios is dramatically different, and most organisations haven't explicitly defined which one they're operating under.

What Security Leaders Should Do Differently

The practical takeaways from Spence's position are less about new tools and more about clearer thinking:

  • Lead with outcomes, not products. Define what your organisation needs to achieve before engaging with any vendor. Map tools to outcomes, not the other way around.
  • Treat vulnerability volume as noise, not signal. Build a prioritisation and remediation process. A thousand vulnerabilities managed systematically is less dangerous than ten vulnerabilities with no process behind them.
  • Ask the data access question first. Before any AI deployment, define what it can access and whether it can act on that access. That decision shapes your entire risk profile.
  • Consolidate rather than accumulate. The industry is moving toward fewer, better-integrated tools for good reason. Thirty security products that no one fully configures is not a security strategy.
  • Stay on the fundamentals. AI hasn't invalidated the NCSC's core steps. If anything, AI-driven threats make foundational hygiene more important, not less.

If you would like to find out more, connect with Oliver Spencer on LinkedIn or visit Cybaverse 

 Takeaways

  • Fundamentals of cybersecurity remain crucial despite AI advancements.
  • Resource constraints hinder effective AI security management.
  • Prioritise outcomes over tools to reduce complexity.
  • Focus on patch management and vulnerability remediation.
  • Secure APIs and data, not just new AI tools.