AI is coming, and will take some jobs, but no need to worry
December 6, 2016 | CSO
The capabilities of artificial intelligence and machine learning are accelerating, and many cybersecurity tasks currently performed by humans will be automated. There will still be plenty of work to go around so job prospects should remain good, especially for those who keep up with technology, broaden their skill sets, and get a better understanding of their company's business needs.
Cybersecurity jobs won't go the way of telephone operators. Take, for example, Spain-based antivirus company Panda Security. When the company first started, there were a number of people reverse-engineering malicious code and writing signatures.
"If we still were working in the same way, we’d need hundreds of thousands of engineers," said Luis Corrons, technical director at PandaLabs.
Instead, the company's researchers created tools that do most of those jobs.
"That means that nowadays we only have to take a look at a tiny portion of the new malicious code that shows up every day -- more than 200,000 new malware samples per day. I cannot imagine how we could do our main task, protecting our customers, without AI."
Does that mean that hundreds of thousands of engineering jobs have been destroyed? Of course not, he said.
"Being realistic, no company could afford that," he said.
In fact, AI has actually created new jobs, he said, including those of improving internal systems and creating news ones, and jobs for mathematicians applying AI to those systems.
"I get asked a lot by parents and college students about where they should be focusing, and security is where I think there are a lot of opportunities," said Karin Klein, founding partner at Bloomberg Beta, Bloomberg's venture fund that invests in early-stage tech companies.
There's a great shortage of talent in the industry, and a growing need for security professionals, she said.
AI tools will put more power in your hands
AI promises to automate repetitive tasks and those that require the processing of large amounts of information.
But the industry needs that, since there's too much for humans to process on their own.
"It's more about augmentation rather than automation," said Klein.
That's been a common theme for the cybersecurity companies she's been investing in, she said, adding that she is very optimistic about what the AI technology will bring.
"It's going to help that over-stressed IT guy who is trying to manage everything," said Dale Meredith, author and cybersecurity trainer at Pluralsight. "It's going to help him have more time to look at what's important for the company."
AI is just another tool, he said.
"And it's coming along at the right time," he added. "Think of the amount of data we have now compared to just five years ago."
New technologies, like the Internet of Things, promise to generate even more data, said Jason Hong, a professor in Carnegie Mellon's School of Computer Science and an expert in AI and cyber security.
“We're still going to need people to lead, decide, and get things done.” Peter Metzger, vice chairman and cybersecurity and business risk expert at DHR International. "Almost every aspect, every dimension of society now relies on computers, and the need for security keeps on growing," he said.
That will allow individual analysts to do more than they can today, and do it more effectively.
"In the near term there are still plenty of positions and not enough professionals," said Bryan Ware, CEO at Haystax Technology. "But over time, AI will allow analysts to be more productive, automating low level tasks and intelligently alerting the analyst."
For example, better AI will make it easier for security professionals to sort through mountains of noise to find actual indicators of compromise, said David Campbell, CSO at SendGrid, a Denver marketing company that suffered a breach last year.
"AI will help speed the identification and prediction of security breaches," he said. "This will bolster career prospects for security professionals that are adept at divergent thinking, and limit career prospects for more traditional SOC analysts that respond to alerts without considering the larger picture."
With AI automating out the horrible, routine, cutting-and-pasting jobs, most of the growth in the cybersecurity profession will be in forensic investigations, said Kris Lovejoy, CEO at security firm Acuity Solutions.
That may require additional training, she said -- not necessarily a full university course, but something like a SANS training program.
"The security field currently requires lots and lots of manual labor," she said. "You've got folks doing either very entry-level jobs, almost IT administration, and very sophisticated folks with lots of education spending 80 percent of their time waiting for something to load."
That gets frustrating and burns people out. With automation, the jobs are going to become more interesting -- and there might be less churn in the profession as a result, she said.
There will also be new job opportunities when it comes to properly deploying AI tools.
"AI isn't free," said Haystax's Ware. "Many techniques require significant algorithm training, data mark up, and testing that has to be done by humans."
The care and feeding of AI also involves ensuring that the AIs have highly available, highly secure infrastructure on which to run, said David Molnar, IEEE member and senior researcher at Microsoft.
"Highly available infrastructure because if the AI stops, the business suffers," he said. "Security, because if the AI gets bad data or the AI is hacked, then the business makes bad decisions."
The CSO's job will increasingly be about protecting the AI's role in business, and understanding the processes around the AI.
And the CSO might also need to act as a mediator between the AI and the rest of the company.
"To establish legitimacy for an AI driven decision, the CSO must help the rest of the business leaders advocate and explain that process to the world," he said. "It isn’t going to be easy, but it will put the CSO at the heart of every business."
Finding ways to apply AI to a business will also require a different way of thinking.
"A successful AI strategy requires very multi-disciplinary skills," said Hossein Rahnama, CEO and founder at Flybits, and a visiting scholar at the Human Dynamics group at the MIT Media Lab.
"Many AI experts are very much siloed in the past, and lack the experience of communicating business use cases. Translating AI research into business value is something very important."
To get training in this area, he recommends looking at programs that combine a foundational understanding of AI with an understanding of public policy implications.
"There are a number of universities working on programs directly addressing those needs," he said. "Stanford is looking there, and there are some interesting initiatives at MIT."
There are also learning opportunities available beyond traditional colleges and universities and training institutes, said Kunal Anand, CTO and co-founder at security firm Prevoty.
He recommends attending conferences around machine learning and data science, and subscribing to blogs and mailing lists.
"And look at open source projects," he added. "The best way to learn is to build."
Security analysts typically don't have to write new code at their jobs. But there could be more opportunities to do that in the future.
"Learn to code," said SendGrid's Campbell. "Professionals seeking careers in security will need to be able to code in order to be successful."
He suggested languages like Python, Ruby and Node.js.
"Being able to code and interpret these languages will help career prospects differentiate themselves and provide greater value for organizations looking to automate security tasks," he said.
On a higher level as well, security professionals can help improve their companies' software. Automated tools can spot common vulnerabilities, but it takes a human to understand logical flaws, said Giovanni Vigna, co-founder and CTO at Lastline.
"For example, the fact that a coupon in an e-commerce application should be applicable only once is something that is immediately obvious to a human," he said.
That might not be, strictly speaking, a technical vulnerability, but it is a security issue, and requires human judgment, and imagination, to understand.
"No amount of AI would allow a program to understand what a program does in every case," Vigna said. "It’s actually a fundamental theorem of computer science, called 'The Halting Problem'."
Computers will also lag behind in leading and innovating, said Peter Metzger, vice chairman and cybersecurity and business risk expert at DHR International, an executive search firm.
"We're still going to need people to lead, decide, and get things done," he said.
Providing business value
As the routine tasks get automated, humans will be able to focus on making strategic, values-driven decisions.
That will require a true understanding of the business, and how that is intertwined with technology, said Diana Kelley, global executive security adviser for IBM Security.
"I recommend that cybersecurity pros beef up their 360-degree skills," she said. "Get an understanding of the business, an understanding of the stakeholders in their work."
That could involve in working closely with the legal department and understanding what they do, or helping with media outreach or marketing.
"This is extremely challenging and difficult," she said. "But to be valuable, you need to understand how people are interacting with their technology. Cybersecurity is a very fascinating area that is very horizontal, it goes through all the areas of a business."
Another area that cybersecurity pros can look at is that of education.
"Humans are great at explaining things to other humans," she said. "That is something that we see at IBM. Someone who can explain things in a clear way that someone else can understand can be very valuable, not just for other security professionals, but also for a general audience, too."
And if the education task involves teaching the AI systems how to do cybersecurity, InfoSec experts shouldn't be worried that they are a traitor to humanity, she added.
"You're a helper to humanity," she said. "There is so much data and it's so hard to keep up with it that this is about throwing out that life jacket, helping people to float. It's not about getting rid of humans. It's about making our existing humans super-human."