Endless waves of hacks, ransomware, malicious code, and insider abuse continue to invade our systems, applications, and services, and there is only one thin red line of defense keeping them at bay: cybersecurity professionals. These days, it seems intuitive that artificial intelligence could pick up a lot of cybersecurity's heavy lifting, detecting suspicious patterns and automatically quarantining or quashing the bad stuff.
If AI can play a major role in cybersecurity, what does this mean for cybersecurity professionals or those entering the field?
Also: From AI trainers to ethicists: AI may obsolete some jobs but generate new ones
So far, there's little to no impact on employment prospects -- it remains a booming employment field. Cybersecurity employment (information security analysts) is projected to grow 32% from 2022 to 2032, much faster than the average for all occupations, according to the Bureau of Labor Statistics. CyberSeek estimates there are close to 470,000 openings in cybersecurity jobs, but only 85% of openings are filled at this time.
Will cybersecurity jobs look the same a few years out, with AI subsuming many job roles and skill demands? Of 1,100 cybersecurity professionals surveyed by ISC2, 88% said AI will "significantly impact" their jobs in the next few years, and 35% stated that AI is already impacting their daily job functions.
"This is not a positive or negative measure, just recognition of the fact AI plays a role, be that dealing with AI-driven attacks, or working with AI-based tools such as automated monitoring applications and AI-driven heuristic scanning," the report's authors stated. "Add to the above those who believe that AI will impact their job in the near future, and we see that more than eight in 10 (88%) expect AI to significantly impact their jobs over the next couple of years."
Most cybersecurity professionals don't feel threatened by AI -- rather, they see it as a positive development, the ISC2 survey authors also observed. Overall, 82% agree that AI will improve job efficiency for them as cybersecurity professionals. That is countered by 56% also noting that AI will make some parts of their job obsolete.
"Again, the obsolescence of job functions isn't necessarily a negative, but rather noting the evolving nature of the role of people in cybersecurity in the face of rapidly evolving and autonomous software solutions, particularly those charged with carrying out repetitive and time-consuming cybersecurity tasks," the report added.
Also: AI's employment impact: 86% of workers fear job losses, but here's some good news
Tasks that can be handled by AI include analyzing user behavior patterns (81%), automating repetitive tasks (75%), monitoring network traffic for signs of malware (71%), and predicting areas of weakness in the IT estate (also known as testing the fences) as well as automatically detecting and blocking threats (62%).
Cybersecurity teams are already applying AI "in assessing authentication, usage, and access abnormalities," Rob Hughes, chief information security officer of RSA, told . "The jobs that are most at risk in cybersecurity are jobs where people are manually doing the same work that AI excels at, such as poring over logs and looking for anomalies." In this example, "the value you can bring is utilization of AI analysis to help locate those anomalies faster and with higher coverage," he added.
It's not likely that "there are specific skills in the cybersecurity field that will be fully usurped by AI and machine learning tools, as most tasks require human skills that we haven't seen from AI yet," Jose Selvi, executive principal security consultant at NCC Group, told .
Also: AI skills or AI-enhanced skills? What employers need could depend on you
Cybersecurity "will always need human oversight to train AI, contextualize its output, and secure it from attacks," Hughes said. "If you aren't using AI and becoming familiar with publicly available AIs and prompts today, definitely get started, find something that's useful and safe to use it for -- such as a policy draft or outline for a generic policy, and start thinking about where AI can help your work and where it can't."
AI "won't make cybersecurity jobs redundant, but any cybersecurity engineer not using AI assistance in their daily work might be completely out of the market in a few years," Selvi said.
"Those that can build, query, and manage AI technology will have a distinct advantage over those that cannot in the job market," Hughes agreed. "We'll see a similar transformation like we did when cloud technologies started to gain popularity over data centers. In cybersecurity, we need to start preparing now for what happens when AI becomes ubiquitous in every organization and on every device."
"New job roles emerging that are now surfacing in placement ads include AI security engineers and AI 'red teams,'" Selvi said. "Also, AI knowledge will be a desired skill in most security positions, and will even become a requirement at some point."
Also: Google survey: 63% of IT and security pros believe AI will improve corporate cybersecurity
There are also tried-and-true skills that will be in demand for the foreseeable future. "We have automated many tasks in this industry, for example, port scanning, but it is still useful that security professionals understand how those tools work under the hood," Selvi said. "They are skills that are still valuable in cybersecurity talent today, and we'll likely see something similar happen with AI-powered tools."
Cybersecurity core skills and related soft skills - "especially those around building a positive security culture and working well with the business -- are evergreen," Hughes said. "If you are doing well in your career now -- have a good broad-based knowledge and flexibility, you will likely find a place in the future job market."
Keeping up with developments as well as basic cybersecurity skills is essential for advancing in the field in the years to come. "A primary focus should be on identity security -- knowing how to authenticate who a user is, what they should have access to, why they need that access, and removing that access when the user leaves," Hughes said. "However, many cybersecurity analysts are failing to stay on top of this specialty."
More than half of security professionals in one RSA survey "could not accurately name the identity components needed to move to a zero-trust security model," Hughes related. "Nor were they able to pick the right tools for reducing phishing. There is a skills gap there that needs to be filled, and AI can make a big difference. Although Identity didn't make as big a splash with the media as AI, we are already in the Identity heyday today, and it can be a differentiator in the job market. Add AI capabilities on top of that, and you are building a strong foundational skillset."