As attackers wield artificial intelligence with increasing precision and scale, Information Security Buzz spoke with Sean Lim, Senior Vice President at EC-Council. He is urging defenders to rethink cybersecurity. Lim has spent his career on the front lines of ethical hacking, talent development, and enterprise risk reduction. But now, he says, the game has changed, and only AI can keep up.
The Compliance Illusion
“Let me ask you something,” Lim said. “Are risks rising? Are losses rising? Are breaches rising? Of course they are. And yet, don’t we already have regulations? Don’t we have cybersecurity companies anywhere?”
The real problem, he argues, is a fundamental gap between what organizations think they’re doing and what’s actually protecting them. “It’s checkbox security,” he says. “Too many organizations think that doing the occasional pen test or risk assessment is enough. But it’s not.”
The Pen Test Problem
Lim points to traditional penetration testing as a prime example. He says that organizations often only conduct pen tests once a year, and only on a small subset of systems, chosen primarily based on budget or convenience. “You’re doing 20-30% of your environment, maybe, and getting a static report at the end. Meanwhile, attacks are evolving every day.”
The result? An expensive illusion of safety. “You spend all that money and, at the end, you get a list. But as an executive, you don’t even know where to start. You’re guessing.”
Fighting AI with AI
The emergence of AI-powered cyberattacks has only widened this gap. “You’re testing once a year, and AI has increased your exposure by a thousand times,” Lim says. “You will never have the budget to hire enough pentesters to keep up.”
That’s why Lim and EC-Council developed a system for continuous AI-driven pen testing, attack surface management, and threat validation. “It doesn’t rely on human availability. It connects to CVE databases, uses automated playbooks, and runs all day, every day, for the same budget.”
The platform not only finds vulnerabilities but also tests them to reduce false positives by up to 95%. “We tell the CISO where to spend their time and money. That’s what makes the difference.”
Training for an AI Future
However, this is more than just a technological shift. It’s an educational one, too. EC-Council is one of the world’s largest providers of pentesting training and certification, and under Lim’s leadership, it has fully embraced AI in its curriculum.
“We had to ask ourselves: are we cannibalizing our own business by automating pen tests? But the answer is no. We’re not replacing talent, we’re upskilling it.”
Rather than focusing on manual tasks like scanning and enumeration, trainees now learn how to leverage AI for faster, smarter results. “You still need to understand the theory, but we want you working at a higher level – being the planner, the strategist.”
Their certification programs now require 50% hands-on lab time, and exams are increasingly practical. “If you can’t get your hands on the keyboard and solve problems, you don’t pass. It’s that simple.”
Solving the Skills Gap – But Not Alone
But can this solve the cyber skills gap? Lim isn’t sure. “We’re heading in the right direction. But the attackers are evolving too. They’re smarter, faster, more creative. They’re not working 9-to-5. Their motivation is money, or, worse, world domination.”
Still, he believes AI-assisted education is a critical piece of the solution. “Without AI, you’re irrelevant. But with it, we give professionals a fighting chance.”
AI as a National Power Shift
For Lim, the implications of AI extend beyond business and into geopolitics. “The balance of power is shifting. It used to be military, then industrial, then economic. Now it’s AI.”
He warns of a new kind of digital colonization. Countries that can afford to train their workforces in AI will flourish. Others will fall behind. “We’re seeing massive investment in the Middle East and Asia. Billions. They know what’s at stake.”
AI or Obsolescence
Lim argues that the conclusion is unavoidable: “If you choose not to embrace AI, it’s suicide.”
He sees the future of cybersecurity not as a battle between man and machine, but between smart systems and smarter systems. “This isn’t about replacing people. It’s about equipping them. Empowering them. And most of all, keeping them relevant.”
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.