In the past several years, AI has gone through massive growth, rapidly expanding in capabilities, popularity, and reach. This has led to an explosion of AI-driven development and faster release cycles, but it has also inadvertently caused the development and advancement of certain security flaws.
Crowdsourced cybersecurity platform Bugcrowd occupies a unique position in its ability to act as a lens into attacker and researcher behavior. A recent report from Bugcrowd, Inside the Mind of a CISO: Resilience in an AI-accelerated World, explores insights from security experts and leaders in order to provide a detailed look into the security challenges and recommendations of 2025.
Key Findings from the 2025 Report
The Bugcrowd report contains interesting data for security experts to use to inform their decisions in a modern digital landscape. It shows an 88% increase in hardware vulnerabilities in the proliferation of IoT systems, highlighting the dire need for diligent security measures in these environments. The report also shows a 36% rise in broken access control vulnerabilities, making them now the most common type of vulnerability.
Bugcrowd also reports a 42% increase in sensitive data exposure, 10% increase in API flaws, a doubling of network vulnerabilities, and a 32% rise in payouts for critical vulnerabilities. This data reflects higher stakes and greater attacker incentive to exploit these vulnerabilities, making it more important than ever to take steps to defend against such attacks.
AI’s Double-Edged Sword
The AI explosion has brought a number of conveniences and enhanced capabilities to many areas of business and personal life, but it has done the same for cyberthreats. The acceleration of technological innovation has also been accompanied by a widening attack surface and the emergence of risks that either naturally arise from popular use of newer technology or occur when bad actors deliberately take advantage of those flaws.
Tools and practices like AI-assisted coding introduce systemic risks that are less likely to be caught by developers. Among other things, using AI to help with coding means that human developers are not necessarily closely reviewing the code for issues that can lead to security vulnerabilities in software. The combination of speed, complexity, and oversight gaps contributes to increased dangers and security flaws in the AI era.
The Changing Role of the CISO
The role of the CISO in a company is evolving and growing as technology and cyber threats change the way security must be approached. It is more important than ever to strike the right balance between deep technical expertise and board-level alignment. It is also crucial to ensure that tactics evolve to effectively navigate organizational resilience in an AI-accelerated world. “Business-first” security framing is becoming essential in today’s organizations as economic instability and shifting priorities make it more difficult for boards to justify security investments.
Now as in the past, the responsibilities of a CISO include developing and maintaining priorities regarding their operations. “The CISO persona is a necessary part of the broader business conversation and can be a valuable mouthpiece; however, public-facing ‘figurehead’ obligations cannot interfere with the CISO’s primary responsibility, which is defending the business against cybersecurity-based threats in the most proactive manner possible,” says Bruce Jenkins, Chief Information Security Officer at Black Duck.
Path Forward: Building Resilience
Building resilience in the face of increasing vulnerabilities and advancing threats requires collaboration and cooperation across the public and private sectors. It is vital to foster collective intelligence through bug bounty and researcher ecosystems. In order to adapt security practices to meet rising flaws and risks, it is essential to integrate vulnerability insights into the secure development lifecycle.
“As CISOs, we should be inventorying all agents, MCP servers, and connected tools and datasets, integrating least-privilege design into agentic workflows, and monitoring agents for tool misuse,” according to Diana Kelley, Chief Information Security Officer at Noma Security, who also notes that testing for operational resilience “requires implementing continuous offensive testing and in production monitoring to validate defenses, especially for AI and agentic systems which are more dynamic than traditional software.”
Conclusion
It is essential for security experts to develop an understanding of modern and evolving technologies and their impact on the threat landscape. As the AI explosion leads to exponential growth of threat surfaces, security experts and developers must also seize rising opportunities to harness collective defense. A resilient CISO strategy in a constantly evolving technology and threat landscape should make an effort to blend and balance AI-enabled speed with rigorous, continuous security validation.
