Cybersecurity Mentors Podcast

AI Isn't Replacing Cybersecurity Jobs... It's Creating MORE Work

Cybersecurity Mentors Season 6 Episode 17

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 34:02

Send us Fan Mail and we can reply directly!

Everyone is asking the same question:

"Will AI replace cybersecurity jobs?"

After working with AI every day in a real enterprise security program, my answer may surprise you.

In this episode, I explain why AI is actually creating more work for cybersecurity teams—not less.

We discuss:

  • Why vulnerability management is exploding 
  • How AI is accelerating vulnerability discovery 
  • Why AI governance is becoming one of the fastest-growing areas in cybersecurity 
  • How security operations (SOC) teams are actually using AI today 
  • Why AI is a force multiplier—not a replacement 
  • The cybersecurity skills that will become even more valuable over the next few years 

If you're worried about AI replacing your career—or you're trying to break into cybersecurity—this episode will help you understand where the real opportunities are.

Come hang out with us in the Cybersecurity Mentors Skool community. It’s free to join.


Cold Open And Solo Setup

SPEAKER_00

Could you teach me? First learn stand and learn fly. Nature rules on your son, not the mind. I know what you're trying to do.

SPEAKER_01

I'm trying to free your mind, Nia. But I can only show you the door. You're the one that has to walk through it.

SPEAKER_00

What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

SPEAKER_01

All right. Welcome back to another episode of the Cybersecurity Mentors Podcast. On today's episode, um, Flying Solo. It's just me, you have to put it with. Um, but that's okay. I have a interesting topic that I thought um is timely and I think everybody will relate to, and and it will be interesting to discuss. I'm excited to discuss it um as um dealing with it on a daily basis. So let's jump into it. So

Fear Of AI Taking Jobs

SPEAKER_01

AI and the fear of AI taking security jobs away or replacing what security professionals are doing is the fear, is that, hey, AI is gonna come, it's gonna take away all our work. We're gonna, you know, analysts are gonna have there's gonna be less analysts because AI can do their job. Um, when in fact, what we are living right now and and dealing with is that AI is creating more security work, not less. Okay. And that might be surprising, maybe not, but we'll dive into it and I'll explain why AI is creating more security work and what that means for you if you are looking to take advantage of this of this opportunity to jump in and help because of the workload and how the workload has and is has increased and is increasing. And the fear is that just I described, it's that people are worried that I don't need as many people because AI can do X, Y, and Z. AI can work in the SOC, AI can analyze events, AI can do this, can do that. Um, and I've gotten these questions directly. What does this mean for me in my future? Should I be worried? I am worried generally, that you know, they are worried. Should I be concerned about how AI is changing the workforce? Especially, am I behind? That's the other question that I get. Is am I behind if I'm not learning AI now? And what should I do about

Why Everyone Feels Behind

SPEAKER_01

that? Right. Well, first off, let me just address the are you behind um thought. It's everybody's behind, right? This thing is moving fast, and no one that I know of has it all figured out and understands what the future holds and knows what to expect. So we're all catching up, we're all playing catch up because things are moving very fast. So don't worry about that. If you've never used an AI tool ever, don't feel like, oh, I'm I might as well just give it up and not worry about this. So everybody's behind, everybody's trying to play catch up to take advantage of and deal with this new day, new dawn with AI. Um, so I'll just put that out there, get that out of the way.

Faster CVEs And Zero Day Risk

SPEAKER_01

But um what the reality is, is that AI and the use of AI and different tools, different ways, is creating more visibility. More vulnerabilities are being discovered on a daily, weekly, whatever basis. And I I read this or heard this is that the amount of CVEs that have been submitted in this past couple of quarters of this year has gone up significantly. Now, I I don't know that we could go look it up and see what the CBE numbers are, but I can tell you from my experience that just in this past week, I have dealt with more reviews and analysis of vulnerabilities that have been discovered, and that trend seems to be, you know, trending up, right? More vulnerabilities being discovered quick, quicker, faster. The time, the zero day, time to zero day to exploitation is shrinking, shrinking, shrinking, right? So that's pretty obvious, right? If you don't, if you don't agree, that's okay. But it it seems to me that's pretty obvious is that the time to exploitation and the amount of vulnerabilities that are being discovered is I mean, it's in me, it makes sense that they to me, it makes sense that they're using AI to help them do that, right? Right? Why, why not? If you're a threat actor or or a security researcher, why would you not use AI to help you do those things faster? Speed up the time to discovery, speed up, um, especially for a threat actor, the vulnerability to exploitation phase. I mean, perfect sense. Makes perfect sense. So we have what that means is for security teams, we are, it feels like, and and I can tell this from experience, that we are dealing with more vulnerability discoveries than ever. More vulnerabilities are being disclosed. And what that means, what do what does that mean for a security team, right? What do you think happens with a security team? You know, you may know. But we have to go evaluate those vulnerabilities. We have to go verify if we are affected by those vulnerabilities. You know, you can watch uh news, news uh sites like Bleeping Computer, um, Hacker News, right? And they're coming out with new articles every day, it seems like, of hey, here's a new major vulnerability. Here's a new major vulnerability. So you get those articles that are dropping, and you have to say, well, let's go find out. You know, we it's not, it's not A to B. It sometimes is, but it's rarely like, oh, yes, we know we're running that version. Because you have a major enterprise, you don't know every version that you're running, you don't know if it's actually affected, you don't know if you're configured to be vulnerable based off of that version. And you may have that version, but you might not be vulnerable. You may have that version, but you might not have it accessible where it could be exploited. So those happen, when those happen, that's what you have to figure out is what is our risk? What is our impact? Are we impacted? What does that look like? And then of course the follow-up to that is oh, we are impacted. Now what? Have we been exploited? Has someone is a zero day taken advantage of that zero day and gotten access to a system? So you have to do that forensic work if you're impacted to verify, especially if it's something that could have been exposed, have we been hacked? Right? And then hopefully you have it, right? Knock on wood. Um, from there, remediation. How do we make sure that we are no longer exposed? How do we close that exposure? This is all typical vulnerability stuff, but that takes time, that takes a lot of energy and a lot of teams. It's not just your security team, it's always other teams that are involved to help you investigate and validate. And so you're doing that more often. Security teams are doing that more often because more vulnerabilities are being discovered. Right. So a couple of examples in higher ed was, and I can't say a hundred percent that they were AI assisted, but it makes

The Real Work Of Triage

SPEAKER_01

sense. But just last week, there was a ServiceNow vulnerability discovered by security researchers, and then a PeopleSoft vulnerability, major PeopleSoft vulnerability that had been exploited and was disclosed that um affected most of higher ed, right? Most of higher ed is using ServiceNow and PeopleSoft. People soft is a major one. Um, before that was Canvas. So, you know, Canvas is an another major uh uh application that higher ed uses typically, and those things are coming out more often. There's more of these that are being disclosed on a regular basis. Um, on top of that, AI is helping us find our own weaknesses and our own vulnerabilities. So if you can imagine, you know, you have thousands of systems, thousands of applications, and you have a lot of data. There's always been more data than you typically could analyze from a vulnerability standpoint or from a weakness standpoint, a configuration standpoint. So you utilizing AI to help you review that data is awesome because that's what it's really good at doing. But now you have to do something when you find those, right? You have to go, you can't unsee what you found, what you discovered, what your team has discovered. So now you have somebody has to go remediate, validate, verify, config, you know, change, change or update or patch. Um, that's more work. You're creating more work for yourself. Now, this is good work because you want to find this before a threat actor finds it, but it's still more work. More work is being created. We are doing more work because we are finding our own vulnerabilities, not necessarily like CVEs, but weaknesses or val or verifying and and reviewing our own vulnerability data to prioritize what needs to be patched, right? Um, on top of that, we're using AI assisted you know, assisting us to help with internal and external penetration tests, right? So using the data that we discover to prioritize things that might we might have missed before or not have been able to connect the dots of like, oh, well, this is this is something that you should go take a look at because there's a potential you know path to exploitation here, right? Well, that's great. And that's what we you want you want to be doing, but you want to be proactive. This is kind of like what people are talking about, being mythos ready. Are you are you mythos ready or mythos? You know, this and that's the new debate, mythos or mythos or mythos? I I don't know. Whatever. I say mythos. Mythos sounds cool, like more more Greek, but are you mythos ready? Well, people are using these tools to help see if if there are things that we can discover before some super tool were to come out that would find these a lot faster than you could manually. And that's what we're doing. We're using those tools to help us and we're finding things, which is awesome because we may have not find or discovered those things without going to look, but also it would have taken us longer to find them without help from AI tools. But what does that mean? Well, there's more work being done to use those tools to find those weaknesses, and there's more work to do to fix those weaknesses, not less work, more work, which is where we are right now. Now, I'm not talking about the future yet, but right now, this is where we're living. This is what we're doing. All right.

AI Governance And Data Spillage

SPEAKER_01

So, AI governance is a is a key, a new hot topic term that's out there about AI governance. You know, it's the new, the new hotness. If you're in if you haven't heard it's a new hotness, it will be. Don't just wait, right? I'm sure all the GRC folks are just loving that term, AI, AI governance. Well, as somebody who's living and breathing AI governance, I can tell you it's definitely a thing. And it's probably one of the most things that take the most time of our team right now, and myself. And why is that? Well, everybody wants to use AI because it's the the next magic, whatever. Um, and so they want to you want to give those teams capabilities that that maybe they could take advantage of, just like we're doing, but there's you know, there's risk of the data, the data classification, what data is being used, what are they going to going to share with the tool? Do we have an agreement with that company that they want to work with? Um, are they going to train on our data? All those things you have to answer and review and validate. And it's kind of like third-party risk management, but I would say magnified, because let's say you have a tool that you're you've partnered with. Well, now everybody wants to use that tool, which is okay because that's the tool you've sanctioned and said, we have a data sharing agreement with this company. You know, you this is the one to use. Don't use your home version, which is better, right? Use the one that is approved. But now everybody wants to connect everything to that tool. Oh, we want to connect this and OneDrive and Box and uh Slack and Teams and 365, you know, Office 365, Outlook, and and whatever, right? And so from that, you know, you know, you you as these are new questions and new frontier, a new frontier of, well, I don't know. Like we we've never done that before. We've never had to evaluate whether or not it's okay to connect these. Well, what is the impact? What is the risk? What could happen? What's the worst case scenario, right? Which is where we live. Well, let's use box for box as an example. Maybe you have a higher data classification on box that says you can put the most restrictive data in box because you've got a BAA with box and it's it's agreed upon and you have terms and yada, yada, yada. Well, but maybe your AI tool, you don't have that highest classification, and people want to connect box to that tool because it's gonna make their life easy. I can go review all the my files in box and have it do all the things. And when it's connecting, it may gobble in that data. Like, you know, it's gonna use the data that you say, hey, go find this for me, right? And AI wants to be helpful and handy, and it wants to do the thing you asked it, asked it to do. Well, then you've now you've had maybe a data spillage or the data that has been retrieved could be a higher level than it should have in the AI tool. So you have to explain to people that look, I know you want this connector, I know you want this feature, but and I know it's awesome and it's uh you know, it's great. But here's the risk, here's what could happen. So those happen those are happening all the time, all every day. You may have a company that has all the tools, you know, maybe they've got Claude and Chat GPT and Gemini and and copilot, and now everybody wants to connect all those things to everything. Oh, I like this one better. Oh, I like that one better, right? And and you're having them not just one times or five times, you know, you're multiplying that over and over and over. It's exponential because you got to make a decision here and here and here and for this and for this and for this, and everybody has different use cases. That is definitely a lot of time that has increased the workload for security teams and GRC, and specifically in GRC in a way, it could be any either one, but it's really GRC of what is the risk? You know, are we gonna prove this? Are we not gonna approve this? Can we scope it? And guess what? In my experience, with these AI tools, they do not give you all the granularity and security that you would love to have to be able to scope it to just the right people or just the right access. They are not fully baked, enterprise-ready, security, role-based tools. Now they have role-based security, but it's not as granular as you would like it to. Oh, okay, I'm gonna give this person specific access to use this because that's they have justified the need. A lot of times it's an all or nothing, or it becomes too untenable to just do onesie, twoszy, threesy. That's part of the problem, too. It's like, well, this is gonna be how many people do you have to go evaluate every use case? Or can you say, well, we're okay with this up to this level? There's just more, there needs to be more capabilities built into these tools from an enterprise level to make it easier to give just the access that's needed. Um, and also monitoring and also auditing, there's they are not great tools in in the AI capabilities that I've seen yet. Hopefully they'll get there. But that is a significant amount of time that's being spent. Um

SOC Analysts Use AI As Assistant

SPEAKER_01

on the defensive side, this is where, you know, the question that, and we've talked about this before, of in the SOC and in analysts and how they're dealing with how is AI going to take over what capabilities or jobs that an analyst does. And right now, I mean, and I mentioned this before, but in our experience, it is it is a great assistant. It is helping, there's always been more data than you can ever look at, and especially in security, and especially in an analyst role, right? There's always false positives, there's always event data that you can't go look at because it's not significant enough. So it's very helpful to weed through that data to find things that stand out in the in the in the haystack of needles to find the needle, right? And so that's not taking away from what we need. We're not saying, oh, now we don't need less, we need less people. It's just giving us a force multiplier for what we have. So now we can use that tool and the capabilities of that tool to help speed up the time to detect or go threat hunting and use it as an assistant to weed through all the noise to help us find if there's an impact, right? So it's just another tool, and I I I know I've mentioned this before, so I won't I won't belabor that point, but it isn't taking away, it's not less work, it's more capability to what you're already doing, in in my my experience. Okay. So my um what does this mean for you? And uh and you could call this maybe the AI workload paradox, right? What's you know, what's the paradox? Well, you think that AI is going to do all these things for you? Well, that it's not the case. It's not doing all the things for you. You are having to utilize and or feel the impact of AI from vulnerabilities being discovered, from um people using AI, AI to attack you, right? Um now is there possibilities where the capabilities will help stop more threats? Yeah, that's already happening. Tools are already tools already have AI baked into those or machine learning. That's already a thing to help you find those threats and mitigate them faster. But that does that doesn't mean we have less to do. It means we have we may have less alerts, junk alert alerts to go, triage, but that doesn't mean all the alerts have gone away, right? Um, and I do have hope that it's going to help us stop threats in different ways in a better with better capability than we've had in the past. I hope so. But there's always going to be that arms race, always, of we have the tool, they have a better tool. Their tool, we get better, they get better. We get better, they get better, right? Um, it's just understanding and and taking advantage of those tools for the future.

Skills That Grow Your Career

SPEAKER_01

What does this mean for people trying to break into cybersecurity? So I would say there's a few, there's some some good opportunities here, right? I think vulnerability management is just going to be more and more important and understanding basic vulnerability management, right? How to understand CVEs, understand, read vulnerability reports, um, prioritize vulnerability patching basically. Based off of risk, uh, how to validate vulnerabilities, how to explain that clearly. That's all the basics of understanding vulnerability management. And it's never it's never gonna go away unless we have robots write all the code and they know how to write it without writing vulnerabilities, which is never gonna happen because they've learned how to write code from humans. I don't think it's ever gonna happen. But right now, what I see is that's going to continue to increase. More vulnerabilities are going to be discovered, therefore, more work needs to be done in this area. I think there's gonna be more people that are needed to manage all those vulnerabilities. I do think there's an opportunity there to start learning how to take advantage of AI with your vulnerability management program, right? How would you ingest that data to help weed through the noise of false positives, the noise of low to medium or even high vulnerabilities that aren't maybe the most important? Maybe they're not, there's not an exploit available, or maybe there is, but you know, the way it's configured is not configured to be vulnerable, right? There's a lot of those little pieces that AI could help you weave through the data to help you prioritize what needs to be patched as soon as possible, or prioritize based off of your patch management schedule. So I think there's a huge opportunity there. Hooked into that is kind of how that overlaps into offensive security of using tools to ingest data of like internal scanning. You know, say you're scanning your perimeter, you're scanning your internal assets, you're scanning things, you're looking for weaknesses, you're identifying versions, um, like web scanning, right? Maybe you're you've got a web scanner that's running nuclei and it's scanning all your front-facing stuff. Well, that's a lot of data. And using AI to help you weed through that data is a great thing to know how to do. And somebody asked you that in an interview. Yep, I know how to um, you know, use these tools to help identify vulnerabilities faster. Boom. Right. So I think that's a huge, I think you will see more positions looking for that skill set because of this increased workload. All right. The other one is AI governance, right? So I you know, because there are more things that are coming through the pipeline for requests of I want this AI tool, or I want to turn on this AI feature, or I want to connect this thing with it, has data in it that to my existing AI tool, those are, man, that's all over the place, right? And I think everybody's learning by doing. There's no book on this that's like perfect that I've seen that's like here's the rule set, and it's all going to be different based off your your environment, your risk tolerance, all the typical things when it comes to a risk decision. But understanding if you here's some good examples. Well, a good example. If you have never used a tool, one of these tools, and then you are being asked to evaluate whether it's okay to turn on a feature, how can you understand and make an informed decision to do that or not? A lot of times we will turn on the feature for my team or myself and myself to kick the tires on it because no one has ever used it before in our organization. And we don't know, I don't know. What could it do? What's what is the worst case scenario? So understanding, I am fortunate in that I've used a lot of these tools. I, you know, I've used these tools, and that I have more information, it's kind of back to build the build fundamentals of you don't have to build an AI from scratch, although if you can, that'd be amazing. Um, you could install one like Llama or something, OLAMA or something like that, right? And it gives you even more understanding of how it works. But at least having used it, you can, and being a, I would say a power user of it, you are more informed to help make a risk-based decision because you know what it's talking about. You know what that feature is. And if you don't, you at least have the foundation to go try it and test it and use it. And now you understand, okay, all right, now I understand how this function works. How would connecting it to this data set or using it, what could a threat actor do, or what would be the worst case scenario if someone accidentally did X, Y, or Z? Um, I think that's a huge opportunity uh to investigate. I don't have all the answers. I don't have a class that I could say, hey, go take this class and you'll be ready to rock. But um, I do think like one thing you could do in if you're in this GRC world and you want to be, is think about the privacy and the security and a policy. Look at the policies that are out there. Go investigate what policies are written about AI policies. There's not a lot of them, you know, so you can go get an idea and a sense of what people are saying that they would they are allowing or not allowing for their institution, if it's publicly available, um, for AI tools, right? And understanding what that governance looks like. And even with that governance, it's always like you can have per you can have a great policy, but it still doesn't mean it answers all the questions on, oh, I want to do this. It it usually doesn't. But being able to think through those scenarios. So in our school community, um, I actually dropped one of these scenarios that's based off of a real scenario that I've that we have have had to deal with and are having to deal with. Um, just saying, hey, here's an example. Go through this. How would you make a decision? What would you say the risk is? Write it up in your own uh in English, you know, in basic English understanding to explain to the person that's requesting it. Um, just to help give you an idea of some of these examples that you could work through and work on to get practice with. All right, and in the and I mentioned this with the AI operations, SOC operations with AI. How could you use it to help you be better prepared for a job in a SOC? Well, yeah, I mean, uh, here's a a good way to practice is log analysis and querying. Like I I'm fairly proficient in Splunk, used it for a long time, but I will use it to help me write better better Splunk queries. Now, sometimes it writes Splunk queries that are not that great, but a lot of times it's it's really good. And I will tune it because I've done the manual work first. I know how to tune it to make it better, or I know how to tweak it to make it more accurate to what I'm trying to do, right? So using it for those kind of events, I mean, just makes you faster, right? Imagine you have an incident that has happened and you need to investigate. Well, how about let's use the tool to help us weed through thousands of log entries to get to the things that are the most interesting? Man, that's gonna make you faster, right? So that skill, that practice is a thing you can do and simulate and work with to help you understand how you would use it or could use it in a real sock job. Okay. And we've talked about this stuff before, but all right.

Leadership Takeaways And Community Invite

SPEAKER_01

Um just lastly, on the leadership angle of what this means for security teams, is I think most security teams I've seen, you know, they they get this, right? They don't they're not burying their head in the sand of like, well, you know, let's not think about this right now. I think everybody is being f confronted with it and being forced because people want to use it and and all these other reasons I've mentioned. Um I think it's good to be proactive and take advantage of what capabilities it gives you for your teams so that you can utilize that to be more proactive. I think that's the big thing. Being more proactive. Um, being more productive. Now it will create more work, but you would you would rather find that than somebody else finds it or a threat actor finds it, right? Um so use it as a a force multiplier. All right. Um so that's kind of just debunking the the theory that AI is going to take make less work or create less work for security teams. In my experience, and my team's experience, it's creating more work for security teams right now. Will that shift in the future? I don't know. I can't tell you. But definitely right now, we are doing more things. We have more things going on because of AI, really. Not, I mean, you can you can point it right at AI and how it's increasing the workload across the board in different areas on the operation side, on the GRC side, on both. Um, so I hope that's helpful. I hope it it gives you some encouragement that you you know you're not behind, that you've not missed the bus. There's a lot to do. We need solid people that are going to help us. That need is still there and is and is going to increase still, in my opinion. I don't think it's going to decrease. It just is more effective, right? Um, so go forth and conquer. Come check out our our school community. Uh, we'd love to have you. We've got some of these scenarios that we drop in there of practice that you can do in our classroom area just to help give you an idea. And I and I a lot of times I will use real incidents that I have defanged and anonymized to create practice examples that I will drop and we will drop into the the community that are based off of real events or real incidents or real vulnerabilities or whatever, right? It's based off of real data. That's it. Have a great one, and we will talk to you soon.

SPEAKER_00

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast. Remember to subscribe to our podcast on your favorite platform so you get all the episodes.

SPEAKER_01

Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_00

Have questions, topic ideas, or want to share your cybersecurity journey? Join our school community, the Cybersecurity Mentors, where you don't have to do this alone. Connect with us there and on YouTube. We'd love to hear from you. Until next time, I'm John Hoyt. And I'm Steve Higgeretta. Thank you for listening.