As we scan headlines on our smartphones, we’re hit with an array of conflicting messages. Your new iPhone puts the world at your fingertips—but don’t use your banking app from a public wi-fi hotspot. That new tool will improve your visit to the dentist by streamlining your records—but all your personal information could be hacked. Technology opens new doors to connect, but is that Twitter follower a person or a bot?
It’s confusing and even a little troubling. And it’s no less troubling for cybersecurity professionals.
Risk & Opportunity
Emerging technologies create opportunities for cybersecurity professionals, but they also create risks. Bots and other artificial intelligence tools will widen the gap between what the risks demand and what the workforce can do to reduce those risks. Those same AI technologies may eliminate jobs rather than create them. The jobs that will emerge will look very different than the cyber jobs we see today.
The shortage of cyber-skilled workers is all over the news, but most of the coverage focuses on the here and now. New technologies will reshape the cybersecurity workforce in unforeseen ways. If we want to get ahead of the curve – or even catch up to it – we’ll have to rethink our approach to cybersecurity planning and operations. We need to understand how to use these new tools and how to prepare for the changes they will bring.
Supply & Demand
The supply statistics are harrowing.
Right now there are more than 285,000 cybersecurity job openings. According to the 2017 Global Information Security Workforce Study, the cybersecurity workforce gap will reach 1.8 million by 2022 – a 20% increase since 2015. And 49% of businesses believe that security will be a significantly higher priority in the next few years than it is today. Businesses are clearly worried that the need for cybersecurity professionals is growing much faster than the workforce can support.
Why the gap? At the enterprise level, explanations abound:
“Skilled cyber workers are hard to find.”
“Management doesn’t understand the threat posed by cyberattacks and dismisses it in favor of other priorities.”
“The burnout rate for cyber workers is significant.”
“There is no clear cybersecurity career path.”
Cyber needs differ across organizations, so there’s no single cause for the problem. More critically, there’s no silver-bullet solution.
We need to close this glaring gap, starting…yesterday.
Not only will the gap grow, it will grow in areas we’re not ready to address. Because threats continuously evolve and technology quickly grows obsolete, tomorrow’s cybersecurity landscape will look very different from today’s. Trying to address the current gaps in what we can do won’t work.
The demand is critical, because everyone is at risk. For every organization and individual who uses cyber technology – everyone from air traffic controllers to corporate executives to your mom checking Gmail – the threat is real.
Governments and other organizations are connecting more and more through technology. They’re using mobile technology, cloud services, IoT devices, and other platforms and endpoints that expand their networks, and expand their exposure to risk.
This means the technologies we depend on in our everyday life are at risk, too. The power grid, commuter trains, water supplies, cellular networks – all are vulnerable. In the rush to adopt new technology, it’s easy to lose sight of the need for thoughtful security policies and guidance. As we scan those headlines on our smartphones, we see the opportunities, but do we see the risks?
Criminals are seeing – and seizing – the opportunities.
Greater connectivity has often meant greater opportunity for cybercrime.
Cyberattacks are no longer the domain of a limited number of skilled individuals. Organizations face threats from nation-states, activists, and hobbyists. The “malware-in-a-box” phenomenon means technical know-how is no longer a barrier to entry. National borders or a lack of physical proximity aren’t barriers, either.
Cyberattacks no longer are only the concern of a few IT professionals and government officials. All businesses and individuals are potentially at risk and must care about protecting themselves. What we think of when we hear about the targets of hackers no longer lines up with who’s really at risk.
Big banks aren’t the only business targets. Cyberthreats are affecting small businesses, which may lack the resources to mount an effective defense. Half of all cyberattacks are against small businesses – a percentage that’s expected to rise in 2018. And 61% of small and medium-sized businesses experienced a cyberattack in the past year, up from 55% the prior year.
And consumers are directly at risk. The 2017 Equifax breach affected more than 145 million people – more than half the country. Email accounts and credit card data are frequent hacking targets. IoT devices that have become so commonplace we may not even know they’re there – in our homes, our city service systems, or the cars we drive – can be exploited to create new risks.
The Future of the Cyber Workforce
It’s clear that cyberthreats are more common and more serious, and that the workforce gap is only growing. What are we going to do about that gap? And how will emerging technologies shape the future of the cyber workforce?
To effectively address threats, we need to focus on the future. Too often, discussions about the cyber workforce revolve around recruiting and training new staff. Focusing on hiring is too slow, too rigid, and too limited. We need an approach that addresses tomorrow’s needs and uses tomorrow’s technology, not today’s.
We’re using AI to confront the cyberthreat landscape.
Artificial intelligence is the next big thing. AI and bots can perform automated technical tasks, leaving non-technical roles for humans. Bots and AI can provide efficient 24/7 cyber defense through anomaly detection and other capabilities without the need to hire dedicated staff. We’ve seen this trend toward automation in other fields, as organizations use technology and machines to reduce costs, improve efficiency, and address labor shortfalls.
Infosec laid the groundwork.
Information security tasks have been a testing ground for AI in cybersecurity. As the Internet, cloud services, and other technologies have matured and entered the mainstream, Infosec has become increasingly automated. Today, for example, anyone can set up a secure website and manage a firewall without hiring a cyber professional. But that hasn’t always been the case.
Experiences from the information security field can inform cybersecurity planning to help us understand what can and can’t be automated. This in turn will inform efforts to develop cybersecurity staff who are fluent in interacting with, supporting, and building on these automated processes.
Emerging technologies will disrupt the cybersecurity workforce.
Building an agile workforce and the vision to stay ahead of threats requires us to consider two seemingly contradictory ideas at the same time. The first is that there’s a labor shortage in cybersecurity. The second is that AI – and even data storage capabilities provided by blockchain and other platforms – will make some cybersecurity jobs obsolete.
It’s true that emerging technologies will eliminate some jobs in cybersecurity. But it’s equally true that labor shortfalls will continue, and that many cyber jobs require human attributes that bots can’t (yet) imitate. In our next post, we’ll explore some of these ideas.
In the meantime, we want to hear from you: how have AI and other emerging technologies shaped your experiences in cybersecurity, and your daily life? Share your thoughts in a comment below.