When it comes to cybersecurity talent, organizations have complained for years that there’s not enough skilled practitioners to meet evolving needs. While it is true that the demand for cybersecurity experts is growing, it’s time we confront the hard reality that even if we flooded the industry with an army of experts, it will never be enough to truly stay ahead of attackers.
The solution to our cybersecurity challenges doesn’t rest in merely hiring more people; instead, it involves combining secure AI solutions with carefully crafted guardrails, to aid us in improving cybersecurity at scale.
Is a Cybersecurity Workforce Shortage the Real Issue?
While cybersecurity’s workforce shortage is a well-covered issue, it only tells part of the story. In fact, the global cybersecurity workforce reached its highest levels, encompassing 4.7 million people, according to (ISC)2’s 2022 workforce study. Yet that’s still not enough, as that same study also found there’s still a need for more than 3.4 million security professionals. This would mark an increase of 25 percent from the 2.72 million security professional workforce shortage reported in the (ISC)2’s 2021 study.
It’s clear the cybersecurity field can’t expand fast enough to meet its needs, but it’s also essential to distinguish between quantity and effectiveness. Simply having more professionals does not guarantee improved security outcomes. It’s not uncommon to see a single security scan of an application code produce anywhere between 100 to 1,000 vulnerabilities. Each one of those can take 30 minutes or more to properly analyze and decide if it even needs to be fixed. It’s clear that this process doesn’t scale.
The key lies in optimizing our approach to cybersecurity, making it more efficient and resilient in the face of evolving threats.
Security Alert Overload
The core issue isn’t solely about staffing shortages; it lies in the very security tools organizations are utilizing. Let’s consider vulnerability detection for a moment: According to a 2022 Cisco report, IT teams are finding themselves unable to fix all the vulnerabilities across their infrastructures, with an average of 55 new software vulnerabilities published every day in 2021. This overwhelming volume of vulnerabilities underscores the challenge, even with a fully staffed cybersecurity team that is expected to remediate on a weekly basis.
The report by Cisco’s Kenna Security also revealed that prioritizing vulnerabilities to fix is more effective than merely increasing an organization’s capacity to patch them. However, the report also highlighted that having both approaches can only achieve a 29-fold reduction in an organization’s measured exploitability.
The vast majority of security alerts generated by current tools can cripple an organization’s ability to respond effectively. It’s akin to trying to drink from a firehose. The sheer volume of alerts can overwhelm even the most skilled cybersecurity professionals, resulting in a backlog of unaddressed vulnerabilities. This backlog is a ticking time bomb, as hackers only need to exploit one vulnerability to breach an organization’s defenses.
How AI Can Solve the Cybersecurity Shortage
To effectively secure our digital assets, it’s time we shift our focus from a human-centered approach to one that embraces technology as a partner. This shift is not just necessary; it’s inevitable in our industry.
Generative AI, when combined with the right guardrails and security measures, is already having positive impacts. AI-powered technologies can rapidly analyze massive amounts of data in real-time, prioritize resources and even fix issues at a pace and scale that would be impossible for humans to match.
This frees up skilled cyber professionals to focus on the more intricate tasks that demand critical thinking and decision-making, such as identifying malware and anomalies in logs. Time would be better spent evaluating potential vulnerabilities in the business logic, which cannot be automated and requires special skills, or doing proper threat analysis for existing and new features.
The adoption of AI in cybersecurity represents a shift in the industry’s approach to remediating things like vulnerabilities. It’s not about replacing humans; it’s about enhancing human capabilities with the power of machines.
The Human-Machine Partnership
Rather than viewing technology and automation as substitutes for human expertise, we should see them as complementary tools. The collaboration between humans and machines can leverage the strengths of both — the creativity, intuition, and contextual understanding of humans, coupled with the speed, scalability, and precision of machines. This synergy represents the future of cybersecurity.
In this partnership, humans provide strategic direction, security policies, guardrails, and nuanced decision-making, while AI handles the heavy lifting.
It’s important to remember that AI is still developing. AI technologies, and more specifically, generative AI, lack the large classified data set it needs to be properly trained on. Coupled with the inference piece of its operation, it can lead to wrong conclusions that may seem reasonable to a non-expert user but will actually make the situation worse.
Together, AI and cybersecurity experts can create a formidable defense against cyber threats. This approach enhances security and strengthens things like threat analysis, policy development and management, and basic security hygiene.
Lack of Talent Is No Longer an Excuse for Vulnerability
The path ahead in cybersecurity is clear — we must embrace AI technology as an ally in our ongoing battle against cybersecurity threats. We can no longer use a lack of cyber professionals as an excuse for poor security practices. And hiring alone won’t solve our cybersecurity challenges.
The myth of an endless shortage of security professionals should be replaced with the reality of a future where human expertise and machine intelligence work hand in hand to safeguard our digital assets.
The belief that we can hire our way out of the cybersecurity challenge is a fallacy. It’s time to dispel this misconception and acknowledge that hackers will always stay one step ahead. The future of cybersecurity doesn’t hinge on the number of professionals we employ but on our ability to adapt and innovate in the face of an ever-evolving threat landscape.