The security industry's attention crisis

by Black Hat Middle East and Africa
on
The security industry's attention crisis

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 


Build cyber resilience with the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

Attention. 

In 1971, economist and Nobel Prize winner Herbert Simon wrote a sentence that feels as though it was written for the age of AI:

"A wealth of information creates a poverty of attention."

Simon was writing decades before cloud computing and LLMs. But his observation captures a challenge at the centre of modern security.

As an industry, we’ve spent years investing in more telemetry, more intelligence feeds, more sensors, more alerts – to gather more information that can help us make better decisions. 

But a side effect of that is that security teams are now surrounded by information – and struggling to focus attention where it’s really needed. 

That thought kept returning to us while reading two reports this week. 

  • One came from Anthropic, examining how malicious actors are using AI systems.
  • The other came from HiveWatch, exploring the state of physical security operations.

They cover different corners of the security world, but they both point towards the same underlying trend: security is entering an era of abundance.

Knowledge is becoming abundant 

The Anthropic report offers a glimpse into how threat actors are interacting with generative AI. We covered the findings in more detail on the blog, but here are the key stats: 

  • 67.3% of banned malicious accounts used Claude for malware-related activities.
  • Researchers observed a significant increase in the proportion of medium-risk and higher-risk actors over the course of the study.
  • More advanced techniques appeared with greater frequency as the year progressed.

The discussion around AI in cybersecurity tends to focus on capability; on whether these systems can write malware, or support phishing campaigns, or help attackers operate more efficiently. 

And those questions are important – but the report brings up a different issue. Technical knowledge has become easier to access than at any point in history. 

Until recently, you had to be seriously dedicated if you wanted to acquire offensive security skills. An aspiring attacker might spend months or years experimenting with tools and learning through trial and error. Today, much of that learning process can be accelerated through an AI-assisted conversation.

The economics of knowledge have changed.

Expertise used to exist behind barriers of time and effort. Those barriers are becoming lower.

Data is becoming abundant 

The HiveWatch benchmark study points towards a parallel development in physical security.

We explored the findings on the blog this week, but several figures immediately catch the eye:

  • Organisations receive an average of 342 alarms every day.
  • False positives account for 32.5% of alarms.
  • Among organisations with more than 1,000 employees, false positives rise to 44%.
  • Nearly every respondent is either using AI today or evaluating it for future deployment.

Physical security teams are operating in environments filled with a growing number of connected devices, cameras, sensors and monitoring platforms. Every system generates data. Every data source creates additional demands on analysts and operators.

So instead of just visibility, the challenge now is interpretation

Cybersecurity teams have wrestled with this problem for years. Physical security teams are now confronting many of the same operational realities: more alerts, more data, and a growing need to identify what genuinely needs attention.

The real constraint is human attention 

If you look at these reports together, you can see a shift that extends far beyond AI or physical security. 

For much of our history, information was scarce. Today it’s plentiful – we have access to vast volumes of information, knowledge and alerts. 

But human attention is still limited. 

And that limitation is a risk within security operations. Every alert competes for an analyst's time; intelligence feeds compete for attention; dashboards compete for focus. 

This helps explain why AI has become such a prominent theme across all areas of security (including physical). It offers a way for humans to navigate abundance. 

Organisations are trying to solve the problem Herbert Simon identified more than fifty years ago.

Choosing what to ignore 

It’s still true that you can’t defend what you can’t see – visibility is essential. 

But now you also have to figure out what to ignore. And organisations need to become exceptionally disciplined about filtering information and protecting the attention of their teams.

The security industry has become very good at creating information. Now, we need to learn how to live with it. 

We want to know what you think 

Open this newsletter on LinkedIn and tell us in the comments: what advice would you give to a novice cybersecurity practitioner, to help them cultivate the skill of attention?

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles