When it comes to protecting the growing infrastructure at Polaris Alpha, CISO Eric Schlesinger believes in a people-and-processes approach over a tools-based approach. But five years from now, those priorities will likely shift.
“I believe that machine learning and AI are the future to security operations. An ‘artificial analyst’ can replace one or two full-time employees in the long run because it will make decisions based on patterns on the network… and take action for you,” Schlesinger says. The company has already invested in several “cutting edge” machine learning security tools in anticipation of these new capabilities, he says.
Those cyber professionals replaced by AI tools will likely move on to bigger challenges. At many companies, they’ll be retrained in more technical cyber skills to tackle threats from cloud platforms, IoT connectivity and the ransomware epidemic.
AI is just one of many factors reshaping cybersecurity careers in the next five years. While the number of unfilled cybersecurity positions will continue to increase – an estimated 1.8 million unfilled cybersecurity jobs globally by 2022, according to the Center for Cyber Safety and Education – those positions, and cybersecurity careers in general, will look different five years from now.
For starters, cybersecurity careers will become more scientifically based as sophisticated attackers pursue more deceptive channels, such as adversarial machine learning, subtle deepfakes, or small changes in training set data that intentionally bias algorithms, according to Steven Weber, director of the Center for Long-Term Cybersecurity at the University of California - Berkeley.
The proliferation of interconnected devices will require IT security teams to combine knowledge with operational teams, and enterprise digital transformations will require security positions to reside throughout the organization — on product development and customer experience teams.
Cybersecurity researchers and consultants offer snapshots of what the future holds for security careers.
Wanted: Technically advanced skills
Cloud security and the internet of things (IoT) are shaping the demand for cyber skills in the next five years, according to Alan Paller, director of research at the SANS Institute. More devices will become connected and incorporated into daily lives, and the opportunity for data breaches will increase. With 75 billion connected devices expected by 2025 that will capture and record data about consumers and organizations, according to Statista, more cyber workers will be needed who understand IoT connectivity and can monitor what data is collected and where there is opportunity for security risks.
Smart-technology programs in major cities pose another growing cybersecurity challenge. Most major cities have some form of smart-technology program, such as sensors that measure air quality, automated traffic-control systems and smart power grids that distribute electricity according to demand. Those connections give hackers more opportunities to break into city systems. Cybersecurity professionals working for state and local government will need knowledge in IoT devices and edge computing to understand how these devices are connected, what data they collect, and how that data is processed and stored.
Paller also expects a surge in demand for technically advanced forensic skillsets, such as application pen testers. Unlike system pen testers who make sure computers can’t be easily hacked, an application pen tester can figure out whether the applications can be fooled. “You have to know how the application works, too, which means you have to be a programmer as well as a networking and security person,” Paller says.
Ethical hackers and AI experts will also be in demand to test the security of organizations and to understand how hackers also use machine learning to identify vulnerabilities in their target’s systems.
Wanted: Cybersecurity in lines of business
Enterprise digital transformations are allowing innovation to be pushed out to all parts of the business, but security is often an afterthought. Going forward, new categories of jobs will emerge within lines of business, including security positions in product development, customer engagement and user experience, Weber says.
Security product managers, for instance, will identify and solve potential security issues with products in development, working with engineering staff, user interface teams, marketing and legal departments. These SPMs will also need knowledge of growing and changing privacy regulations to make sure that new products that gather data are compliant, Weber adds.
At the management level, expect to see more BISOs — business information security officers — throughout the organization. Many financial institutions already have BISOs within each core business unit, says Emily Mossburg, principal in Deloitte & Touche LLP and advisory and implementation services leader for Deloitte Cyber. “Some report directly up through the chain of command in the business unit, others report directly to the CISO. In many cases, there is some type of dual reporting with a solid line to one and a dotted line to the other.”
Wanted: Merging of IT and OT skills
Millions of devices now connect plant-level technology with business systems. This is already prompting a merging or sharing of security roles and skills in industries such as power, gas and manufacturing, Paller says.
Operational technology security is usually addressed at the plant level, but digital transformations will require sharing security responsibilities with IT. “They didn’t talk to each other,” he says. Going forward, “these industries will need security people that are experts in control systems, and control systems experts knowledgeable in cybersecurity.”
Wanted: An embrace of AI
AI is expected to take over many of the mundane tier-one security responsibilities and free up workers to tackle more pressing issues.
The State Department offers a glimpse of AI’s capabilities, Paller says. Every night, AI tools automatically scan and prioritize what needs to be done across all of security for 80,000 systems. In the morning, system admins know the top two or three things that need to be done. This still requires security professionals to perform the fixes, but the person who runs the vulnerability report and delivers it to the fixers is no longer needed.
“AI should be embraced, not feared,” says Phil Quade, author of the book, “The Digital Big Bang: The Hard Stuff, The Soft Stuff and the Future of Cybersecurity,” and CISO at Fortinet. AI will never take over all cyber jobs, but each layer of AI will make cybersecurity easier.
“The future cybersecurity heroes will be those who figure out how to integrate the results of machine learning and AI with human decision-making,” Quade says.
Wanted: More diversity
If done correctly, organizations will fill security positions with more diversity, Quade says — diversity of gender, race, background and experience. “That will help us create better cybersecurity solutions,” he says. Quade recalls one of the best cybersecurity analysts he worked with who came from an anthropology background. “The way he went about solving problems was amazing because he was trained in a different discipline, he says.” Another colleague formerly trained CIA agents.
“Some of these skills from a diversity standpoint are really instrumental because they help you understand how people work, what they do well and don’t do well, and that will allow us to use the technology to do what it does well, and augment the team with what the technology doesn’t do well,” he says.
Wanted: CISOs to drive a culture of security
Paller points to the ransomware epidemic and “the end of the compliance-complacency era” as an inflection point for new cybersecurity roles.
When ransomware attacks still manage to hit organizations despite glowing security reports, “there’s a realization by boards of directors that they’re going to have to pay more attention,” he says. They now recognize that meeting the minimum compliance standards doesn’t ensure that the organization is secure, he says. That elevates the security conversation to be less about checking boxes and more about risk.
Further, as cybersecurity becomes integrated further into all parts of the business, the CISO’s role and influence will help drive a culture of security throughout the organization, says Wesley Simpson, chief operating officer at (ISC)2.
“CISOs were really on their own island, and when something went wrong they had nobody with them,” Simpson says. “Now they’re going to have a whole organization behind them. They’re going to become core, common and central to the organization and the business. They’re going to be those tentacles out across all the different teams.”