The shortage of professionals highly skilled in cybersecurity should surprise nobody. Thanks to high-profile hacks on major corporations such as Target, companies are desperate for workers who can detect and patch vulnerabilities in their systems.
Despite that demand, however, the days when security professionals could routinely demand top dollar may soon be coming to an end.
While efforts such as the Cybersecurity National Action Plan (initiated by President Barack Obama) may increase the total number of tech pros skilled in security, machine-learning algorithms and sophisticated A.I. systems may eventually eliminate many of the security tasks now performed by human beings. The end result won’t be the total elimination of security specialists; rather, individual professionals may find themselves tasked with far more responsibilities than ever before, aided by automated systems.
Jim Ambrosini, a managing director at the accounting firm CohnReznick Advisory (which specializes in cybersecurity), believes that security professionals’ rising salaries are a challenge for organizations. “It reminds me of the days when finance guys hopped between hedge funds every six months,” he said. “The [budgets] of most organizations are not designed to counter those kinds of offers.”
To cope with that hiring climate, Ambrosini continued, organizations are either relying more on security products that incorporate machine learning, or else signing on with a managed-services provider that offers a security package.
Both approaches have received a good deal of funding in recent years. IBM, for example, has promised to deliver security intelligence software that makes use of the IBM Watson analytics platform to identify patterns of security attacks. Cisco, meanwhile, recently moved to integrate threat-intelligence services with its firewalls. The goal in both cases is to identify a potential threat before it’s launched and automatically thwart it with the right set of security policies.
Kaspersky Lab, a provider of anti-virus software, recently introduced its first set of IT services that use analytics and machine learning to augment internal security staffs. “In some ways it becomes a game of escalation,” said Michael Canavan, vice president of enterprise engineering at Kaspersky Lab North America. “The threats are getting more sophisticated so we need to be able to respond.”
Nor has this shift to automation been lost on venture capitalists, who are pouring money into cyber-security startups that make extensive use of analytics and machine learning.
Startup vendors such as PatternX combine machine-leaning algorithms with anomaly-detection software to enable security analysts to identify more threats; PatternX CEO Uday Veeramachaneni insists this offering isn’t intended to replace the need for security analysts, so much as augment the capabilities of the few security analysts an organization can actually afford to hire: “The goal is to change the economics of security… But there will always be a need for a security analyst to make sense of it.”
It may take a while for all these advanced security technologies to find mainstream adoption. That doesn’t mean that unfilled security jobs will be eliminated anytime soon. But it’s also clear that the role of security analysts will evolve: with analysis automated, they won’t need to spend so much time collecting data in hopes of identifying an attack pattern.
Security professionals will still be needed to identify false positives and figure out an appropriate level of defense. While they’ll continue to command high salaries for the immediate future, demand could potentially slacken as IT defenses become more automated.