Spend a few minutes talking to security professionals and the mood is pretty consistent. Nobody sounds relaxed. It is not panic, but it is definitely pressure. New research from Storyblok puts hard numbers behind that feeling, and the results make it clear why so many teams feel stretched thin.
Storyblok surveyed 300 senior security professionals at medium to large companies, all in leadership or decision making roles. Nearly all of them reported dealing with security incidents as a regular part of business. Ninety percent said their organization experienced at least one security incident in the past year. That makes breaches feel less like emergencies and more like an expected cost of doing business.
The pace is just as concerning. Seventeen percent said they deal with security incidents at least once a week. Another 32 percent said incidents happen monthly. Only ten percent said they made it through the past year without a single incident. When incidents are that common, it becomes harder to treat each one with the urgency it deserves.
AI is clearly adding fuel to the fire. Fifty nine percent of respondents said AI being exploited by malicious actors is their top security concern. Attackers now have access to tools that make phishing, malware creation, and reconnaissance faster and cheaper. Security teams are well aware that the balance of power is shifting.
That awareness is driving calls for change. Sixty five percent of respondents said they need to rapidly upgrade security monitoring and threat detection because of AI related risks. More than half said identity and access management is becoming more complex, while half said stronger data protection and privacy controls are required. AI is not a side issue anymore. It is changing how security needs to function across organizations.
The problem is that many companies feel stuck. Fifty percent cited a lack of qualified security experts as the biggest barrier to improving security. Legacy technology was close behind, with 46 percent pointing to the complexity of older systems. Regulatory uncertainty followed at 45 percent, with budget limitations not far behind. Even when leadership agrees security needs improvement, execution is not simple.
Website security remains another pressure point. Only 49 percent of businesses said they feel fully prepared for a security incident. Thirty nine percent said they experienced a security issue that impacted their content strategy in the past year. That highlights how security problems can spill beyond IT and directly affect publishing, marketing, and daily operations.
Looking ahead, businesses say data encryption and privacy should be the top priority for website security investment. User authentication and access controls follow closely. AI powered security tools are also gaining attention, even as AI itself is seen as a major risk. Many teams seem to believe defensive AI may be necessary to counter offensive AI.
Traditional threats are still very much alive. Hackers and malware were cited as the top overall risks, followed by employee human error. AI introducing new risks came close behind. Security teams are not replacing old problems with new ones. They are dealing with all of them at once.
AI specific risks add another layer of concern. Respondents pointed to hackers using new AI tools, protecting data used or generated by AI, and compliance risks tied to AI as major challenges. For many organizations, the rules around AI are still unclear, but the exposure already feels real.
Security concerns are also shaping broader business decisions. Sixty percent said scaling security operations alongside company growth is a major challenge. Handling employee and customer data across borders and working safely with new vendors also ranked high. Security is no longer something that quietly runs in the background. It can slow expansion and partnerships.
Despite all of this, confidence remains oddly high. Seventy six percent of respondents rated their organization’s security as above average, while only five percent admitted it was below industry standards. That confidence feels out of sync with the reality that nine out of ten experienced a security incident in the past year.
Storyblok CEO Dominik Angerer addressed that disconnect directly, saying:
“It will not come as a surprise to many that new threats from AI are top of mind for security professionals. However, recognising the problem and adapting to it are very different propositions. Our research shows that legacy systems, skills shortages and outdated websites are all areas of vulnerability for many businesses. This goes beyond the immediate potential damage of a hack but also hinders day to day business operations like content strategies, as well as long term strategic goals, such as scaling internationally.”
He also added:
“On one hand the vast majority of professionals say that their security operations are above average, on the other 90 percent say they have had at least one security incident in the past year. Complacency is a real risk factor. This is why it is critical that businesses look at upgrading their tech infrastructure as both a commercial and a security necessity.”
Looking three to five years ahead, respondents expect AI usage to remain the top source of new security risk. Cloud adoption, multi cloud complexity, and expanding global compliance requirements follow closely. None of those trends show signs of slowing.
The takeaway is not that security teams are asleep at the wheel. If anything, they are overwhelmed. When incidents become routine, the real danger is complacency. In an AI driven threat environment, treating breaches as normal background noise is risky. Upgrading security infrastructure is no longer just an IT project. It is a business requirement, whether companies are ready for it or not.
