Enterprises look to AI to bridge cyber skills gap — but will still fall short

Global cybersecurity workforce growth has stalled in spite of a clear and growing need for skilled workers.

The latest edition of ISC2’s Cybersecurity Workforce Study, published last week, reports that the global cybersecurity workforce grew just 0.1% year-on-year to reach 5.5 million professionals. That’s in sharp contrast to the 8.7% growth seen in the equivalent study last year — a strong rise achieved even against a similar backdrop of tough economic conditions.

ISC2, a nonprofit member organization for cybersecurity professionals, reports that professionals are feeling the impact of declining investments in the cybersecurity workforce, including budget cutbacks and layoffs.

Industry professionals quizzed as part of the study cite “lack of budget” as the top cause of their staffing shortages, replacing “lack of qualified talent” as the biggest single reason for lack of progress in bridging the cybersecurity skills gap.

More than half of those surveyed (58%) believe a shortage of skills puts their organization at significant risk. Moreover, increasing workloads on short-staffed workforces are taking their toll.

“As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain, risking burnout and attrition as job satisfaction rates fall,” said ISC2 acting CEO and CFO Debra Taylor.

As a result, many organizations are beginning to turn to AI as they contend with a growing global shortage of cybersecurity talent, which ISC2 estimates at nearly 4.8 million professionals, up 19.1% from a year ago.

“Despite these challenges, AI is viewed by professionals as a solution to strengthen their organizations’ security and create new efficiencies for their teams,” Taylor noted.

Outsourcing, AI to pick up the slack

The hiring freezes and layoffs many companies are facing means many cybersecurity teams are increasingly enlisting managed security services to meet the pressure of doing more with less.

Dave Atkinson, founder and CEO SenseOn, argued that small businesses in particular are outsourcing their cybersecurity defenses in response to the long-standing cybersecurity skills gap.

“The cyber skills gap is an issue that more intensely impacts SMBs due to their limited budgets and resources available,” according to Atkinson. “Many SMBs simply can’t compete with larger enterprises that can offer higher salaries within larger teams, meaning the already insufficient talent pool of skilled professionals is disproportionately impacting the SMB sector.”

Atkinson added: “SMBs are often best outsourcing their cybersecurity protection to specialists that have the appropriate infrastructure to monitor incoming threats, preferably experts that have a track record of supporting similar sized firms.”

The shift toward more spending on services to fill talent gaps is reshaping the CISO role toward more of an orchestration one, as well as the role of remaining in-house staff.

And as staffing budgets shrink or level off, even for some larger organizations, CISOs are having to adapt — partly by investing in tools that can automate repetitive tasks, with an eye toward AI and managed services as means for maximizing the productivity of their in-house teams.

Kevin Curran, IEEE senior member and professor of cyber security at Ulster University, told CSO the age of AI in cybersecurity has already arrived.

“The integration of AI into cybersecurity is already evident in threat detection and response, automation of security tasks, simulation of cyberattacks and enhancement of security protocols,” Curran explained.

Curran added: “AI’s ability to quickly analyze large datasets is vital for identifying real-time threats and anomalies, while also freeing up human resources by automating routine tasks such as log analysis.”

ISC’s study found that nearly half (45%) of respondents’ teams are already utilizing AI for cybersecurity tasks, with the top five use cases being:

• Augmenting common operational tasks (56%)
• Speeding up report writing and incident reporting (49%)
• Simplifying threat intelligence (47%)
• Accelerating threat hunting (43%)
• Improving policy simulations (41%)

Can AI truly fill the gap?

Many in the cyber community agree that AI can help companies shore up their cyber skills shortfalls.

Andy Thompson, offensive research evangelist of CyberArk Labs, told CSO: “Human talent will always be the fulcrum of the work we do, but the facts are that we have a huge dearth of skills that needs to be filled, and gen AI has the potential to bridge the gap. The technology can be an indispensable ally, automating the routine and allowing human experts to focus on the strategic manoeuvres that will mitigate against the ever-evolving threat landscape.”

But while AI offers a powerful tool in identifying and mitigating cyber threats more effectively than traditional methods it is unlikely to replace skilled cybersecurity professionals, industry experts say. AI-based security technologies lack maturity and, even as they develop, organizations will be hesitant to give them autonomy without human oversight.

Muhammad Yahya Patel, lead security engineer at Check Point Software, commented: “AI will certainly play a supportive role, automating certain daily tasks and enhancing different cybersecurity roles. However, there are human elements that AI simply cannot replace, and it’s unlikely that organizations will place their full trust in machines alone for their security.”

Tim Morris, chief security advisor for the Americas at Tanium, agreed: “While AI can process and analyze vast amounts of data, it lacks human intuition and experience and cannot interpret nuances beyond the data presented.”

Jamie Moles, senior technical manager at ExtraHop, told CSO: “Humans are still able to offer crucial insights and identify patterns that robots cannot. As a result, humans are the linchpin that oversees several, largely autonomous, systems.”

As a result, a shift may be under way in which lower-level security tasks and roles begin to give way to AI, while higher-level activities and positions evolve to orchestrate, oversee, and hold accountable the outputs of AI security systems.

That oversight portion can’t be underemphasized, according to Ulster University’s Curran.

“While AI can detect and respond to threats in real-time, there are valid concerns over its reliability when operating autonomously,” he said. “A single AI system failure could leave services vulnerable and lead to significant problems. In addition, the high costs of setup and maintenance pose additional challenges for those operating with limited budgets.”

“A hybrid decision-making model that includes a ‘human in the loop’ can provide additional security by verifying AI-driven analyses and recommendations,” Curran added. “AI should still be seen as a copilot, with security teams using their judgment to make final decisions.”

ExtraHop’s Moles agreed: “Most businesses are not prepared to hand over that degree of responsibility, especially as most AI agents still have a long way to go before they can compete with a trained human.”

So, while AI may be able to help in some areas, the underlying issue cyber teams face — talent and skills shortages — remains.

Upskilling for the future

In the meantime, the rise of AI has added another task to cyber pros’ lists: training up on AI to future-proof their careers.

Experienced professionals will need to develop skills in AI technologies and learn how to integrate them effectively to address more advanced threats, according to Check Point’s Patel.

ISC2 study participants are optimistic about AI adoption and are focused on attaining the skills they need to be successful in an AI-driven workplace. Two thirds (66%) of those surveyed say AI represents career growth opportunities, while 54% say it will be helpful to their organizations’ security operations. Half (51%) believe AI will result in certain cybersecurity skills becoming obsolete, but two-thirds are confident their expertise will complement the technology, with 80% saying their cybersecurity skill set will be more important in an AI-driven world.

To prepare for future opportunities, 73% of respondents are building their cybersecurity skill set, 52% are focused on becoming a more strategic contributor to the organization, and 48% are learning more AI-related skills.

Still, more than half of respondents reported they don’t have enough time to learn new skills, according to the survey.

The 2024 ISC2 Cybersecurity Workforce Study is based on online survey of 15,852 cybersecurity practitioners and decision-makers worldwide and was conducted by Forrester Research.