Who remembers when a scraped knee in the playground was fixed with a wet paper towel? It didn’t cure anything, but somehow, it worked. Sometimes, a simple, familiar response to a messy problem is the best we’ve got.
Cybersecurity isn’t so different. For all the shiny tools and acronyms, much of what we do is still educated guesswork: using the best of our knowledge, experience, and instinct to keep systems safe. The latest topic everyone wants to talk about, of course, is AI and how it’s transforming security, the future, and how it will solve some of the world’s biggest challenges.
However, we need to keep a more balanced outlook on AI, because while it is doing incredible things to help us detect threats faster and analyse more data than ever, it’s also empowering attackers and cybercriminals.
AI has lowered the barrier of entry
Ten years ago, you needed a fair bit of skill to mount a credible cyber-attack. You had to understand networks, code, scripting, and a fair chunk of human psychology. Today, with generative AI, that’s no longer the case. In fact, a recent analysis found that over 80% of phishing emails now show signs of AI involvement, and AI-enabled attacks have risen by nearly 50% in the past year.
Now, anyone with curiosity and internet access can generate realistic phishing emails, deepfake videos, or fake voice messages convincing enough to fool even the most cautious employees. Need a script to test a network or find a vulnerability? AI will even write scripts to probe networks and suggest how to improve them, often with a polite warning to “use responsibly”.
This is where the “cyber tsunami” begins. AI is creating a wave of younger, less experienced, but highly capable individuals who can launch attacks at scale. The average age of a cybercriminal today is barely out of their teens, with 61% of hackers starting before the age of 16.
With thousands of AI-driven attacks flooding the landscape, volume has become the new sophistication and it’s harder than ever for defenders to spot the truly dangerous threats hiding beneath the noise.
The skills shortage in the age of AI
On the defence side of the fence, the situation isn’t much better. While attackers are multiplying, defenders are in short supply, in the UK alone nearly half of businesses admit they lack basic cybersecurity skills.
The rise of AI is exposing a deeper problem, that we don’t have enough trained professionals who understand how to create resilience against new threats. For years, the UK has focused on getting more people into cybersecurity. Apprenticeships and entry-level programmes have helped build pipelines of cybersecurity generalists, professionals with broad, foundational skills such as basic network security, password management, and compliance awareness. That’s been a vital first step, but it is not where the real shortage lies anymore.
What we’re missing now are the specialists; the analysts who can interpret AI-generated threat data, the incident responders who can manage complex breaches, and the policy experts who understand both regulation and technology. These are all roles that can’t be filled overnight as they require deep experience and continual upskilling, and current training models aren’t keep pace.
Why AI literacy is now a critical cybersecurity skill
We talk a lot about AI as if it’s something separate from cybersecurity, but the two are already intertwined. For example, modern intrusion detection systems, threat-hunting tools, and data-loss prevention solutions all use machine learning. However, the issue is that limited professionals are being trained to truly understand how these systems work, or how they can fail.
AI can only ever be as reliable as the data it learns from. If the data is flawed or manipulated, the system’s decisions will be too. Attackers know this, as they’re already experimenting with “data poisoning”, meaning they are feeding AI models misleading inputs so they can make wrong calls later.
That’s why AI literacy is becoming one the most critical skills for cybersecurity professionals. It’s vital that defenders understand where AI fits, when to trust it, and when to question it. If they don’t understand how the technology thinks, they can’t anticipate how it might be tricked.
The human factor still matters
For all the talk of automation, we should not forget that most breaches still come down to human error. A weak password, a misplaced click, a decision made in a hurry – AI can help reduce the noise, but it can’t remove people from the equation.
One of the most worrying trends is how easily bright, curious young people can drift into cybercrime. The barriers are gone, and AI gives them instant capability, whilst the anonymity of the dark web makes it feel like a game.
However, that same curiosity and technical talent can be redirected. I have seen it happen through ethical hacking training, apprenticeships, and skills-based learning – all tactics that can show people how to use those abilities for good. We have a responsibility, as educators, employers, and policymakers, to offer those legitimate pathways. Because for every 17-year-old experimenting with AI-driven attacks, there’s a potential cybersecurity analyst waiting to be inspired.
Final thoughts
AI is a powerful tool that can help both sides of the cyber battlefield. The next generation of cyber defence won’t be won by whoever has the flashiest tech stack, but by whoever has the best-trained people. Organisations that invest in developing AI-literate cybersecurity professionals will be the ones ready to meet the future.
Everyone in an organisation, from the CEO to the intern, needs to understand that security isn’t just the IT department’s problem, it’s everyone’s job. So yes, invest in AI. Use it to strengthen defences and make your team’s lives easier. But don’t assume it’s infallible, a tool is only as good as the person wielding it.
