Legacy Security Flaws Pose Greater Risk Than AI Models, CTO Warns

Corporate leaders fixated on emerging AI threats are missing a more urgent cybersecurity crisis, according to CrowdStrike's chief technology officer.

Elia Zaitsev delivered a pointed message to executives and boards: the greatest danger isn't which new AI model might be weaponized next. Instead, organizations face rapidly accelerating attacks targeting the accumulated stack of known security vulnerabilities—both recent discoveries and long-standing flaws that remain unpatched.

Why it matters

The window for responding to security threats has collapsed dramatically. Attackers can now exploit vulnerabilities within hours of discovery, with that timeline trending toward minutes. This speed advantage makes legacy security gaps far more dangerous than theoretical AI risks, fundamentally changing how organizations must prioritize their defense strategies.

The speed problem

The transformation in attack velocity represents a fundamental shift in the threat landscape. When adversaries can weaponize known vulnerabilities in hours rather than days or weeks, the traditional patch management cycle becomes dangerously inadequate.

This acceleration applies pressure across the entire security stack. Organizations carrying technical debt in the form of unpatched systems face exponentially higher risk as the exploit window narrows.

What executives should prioritize

Zaitsev's guidance redirects attention from speculative AI threats to concrete, actionable security hygiene. The massive accumulation of unpatched vulnerabilities—spanning both newly discovered flaws and older issues that organizations have deferred addressing—creates an attack surface that sophisticated adversaries can penetrate with increasing ease.

For boards and C-suites, this means shifting resources and attention toward:

• Accelerating patch deployment cycles to match attacker speed
• Addressing accumulated technical debt in legacy systems
• Implementing automated vulnerability management
• Measuring security posture by time-to-patch rather than just vulnerability counts

The message challenges a common pattern in enterprise technology discussions, where emerging threats often capture more attention and resources than fundamental security practices. While AI-powered attacks represent a real concern, they exploit the same underlying weaknesses that manual attacks target—just faster.

The boardroom disconnect

The gap between perceived and actual threats reflects a broader challenge in cybersecurity governance. Executives naturally gravitate toward novel risks that generate headlines, while the unglamorous work of maintaining security hygiene receives less focus despite offering more immediate protection.

Zaitsev's blunt assessment aims to recalibrate that attention, emphasizing that speed of exploitation matters more than sophistication of the attack vector when vulnerabilities remain unaddressed.

These details were first reported by Axios.