AI: Not the Cure-All for IT Security Skill Shortage

Business leaders who believe artificial intelligence and machine learning will help alleviate what is soon expected to be a 1 million-plus shortfall in skilled security pros may want to rethink that idea.

Cybersecurity has quickly become a top use case for the rapidly expanding AI field, both for its capabilities to help businesses protect themselves from the growing number of increasingly sophisticated attacks and breaches as well as enabling companies to automate some of the cybersecurity jobs and mitigate what's widely expected to be a large shortfall of skilled IT security workers. ISC(2) is predicting that by 2022, the shortfall globally will reach 1.8 million workers.

At the same time, businesses are embracing AI and machine learning for their cybersecurity efforts.

(Source: Qimono via Pixabay)\r\n

By 2020, 60% of the Global 2000 businesses will use AI-based security, according to IDC analysts, and a MarketsandMarkets report is predicting that spending on AI security will reach $34.8 billion by 2025, a 31.4% increase over spending in 2017. And despite the rising need for skilled IT security professionals, AI will replace some of the security jobs now being done by humans, including security analysis, intrusion detection and vulnerability assessment. (See AI Is Stealing These IT Security Jobs – Now.)

But while automation that will come with AI and machine learning will replace some of those lower-skill security tasks like 24/7 monitoring and threat hunting, it actually will increase the shortage of skilled IT security personnel, according to a report by security platform vendor DomainTools and the Ponemon Institute. Automation may replace those tasks, but that will only increase the need for workers with more advanced skills, according to the report, "Staffing the IT Security Function in the Age of Automation," in which more than 600 IT and IT security professionals were surveyed.

Security skills in an age of automation
"While the majority of respondents believe that automation will improve the IT security staff's ability to do their jobs, it's because it will replace tasks like log analysis," Tim Helming, director of product management at DomainTools, wrote in an email to Security Now. "This leaves more time for the advanced staff to tackle more serious vulnerabilities and overall network security. More than three quarters of the respondents say that the use of automation in cybersecurity will not lessen the need for skilled IT security personnel. The fact is, no matter how sophisticated automation technology becomes, it will never replace human intuition and hands-on experience."

The data in the study indicated that highly-skilled IT security people are in short supply, Helming wrote. As humans are called upon to do even more advanced IT jobs, there will be more pressure on businesses to find people with such skills. Seventy-five percent of respondents said their InfoSec staffs are not only understaffed, but they are having difficulties finding qualified candidates to fill those jobs. In addition, 76% report that the use of tools and services leveraging AI and machine learning will only increase the problem by heightening the demand for more high-skilled people.

Only 23% report that automation will mean a reduction in their IT security staff. Forty-four percent said the use of automation tools will increase their need to higher people with greater technical skills.

The predicted increase in the shortage of IT security people has been talked about for several years, and now there is a growing concern that the increasing use of AI technologies for cybersecurity programs and IT in general will lead quickly to a shortage of AI skills. Hyperscale cloud providers like Google, Microsoft and Amazon Web Services also are cranking up their AI and machine learning capabilities, including in the area of security. (See Cybersecurity AI: Addressing the 'Artificial' Talent Shortage .)

According to the results from the new survey, which was released May 1, 41% of respondents said their inability to find the skilled people to staff their security programs has led to an increase in the investment of automation tools. Still, only 26% said they currently use such tools for cybersecurity, and 15% said AI is a trusted security tool in their companies.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

New skills
However, while many companies expect automation will increase the need to higher more people, most say such tools will improve their staffs' ability to do their job. Sixty-eight percent of respondents report that their IT security personnel will be able to focus on more serious threats and overall network security, while many of the jobs that AI will automate are time-intensive that are mission-critical but not a good use of staff time.

In addition, 36% said automation will reduce human error.

The key for companies in this time of automation -- where AI and machine learning will replace some tasks but lead to a greater demand for higher skilled workers -- is to find ways to attract and retain talent in a tight market, according to DomainTool's Helming. The study's authors noted that offering better compensation and a career path are keys to getting and keeping talent. The survey found that only 24% of respondents said their companies see IT security as a career path and 39% said their organizations' compensation packages are enough to attract top people.

A little over half -- 52% -- typically promote from within.

Given the "dichotomy" of more automation leading to the need to hire more people, "we are advocates of on-the-job training and continuous education," Helming said.

Companies also said IT professionals need a combination of technical skills as well as "soft skills" -- such as a good work ethic, creative problem solving, dependability and being a team player.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.