InfoSec Labor Shortage: AI to Supplement and Augment
Machine learning (ML) and artificial intelligence (AI) have been receiving increased attention in the media as of late. AI has been in process for well over a decade, yet recently has been much more publicized in the press. Most persons may be familiar with ML and AI from the movies (Tron, Her, iRobot, Blade Runner, 2001: A Space Odyssey, and many others) or commercial ventures with security incident and event management (SIEM) applications (Dawson, 2017). These applications have also been implemented with recreational users with the Go game, IBM Watson, and other applications.
InfoSec has many functions, too numerous to detail. These include, but are not limited to, log analysis, spam filter applications, network IDS/IPS, fraud detection, botnet detection, user authentication and validation, and in general monitoring activities (Rossi, 2016). With the vast number of responsibilities, time is of the essence. This is only further exasperated by the mass number of attacks that are present and that will continue to grow.
These attacks have been increasing over time as a function of the increasing attack surface of increasing data and system complexity coupled with the potential revenue to be generated. The amount of data generated from daily operations increases making it difficult to analyze all of the data (Siwicki 2017). This grows, in comparison, from a small to medium, or medium to large sized business. The increased amount of available threats (Stevens, 2018) have subsequently increased the network breaches in the mid-decade (Li, 2015) and recently. Although this is abstract, the reality of the situation incorporates the actual cost to the organization. In 2013, the estimated global cost of cybercrime was $113B (Sanders, 2015). As the number of attacks has grown along with the mass volume of data being targeted daily, the cost has increased rather significantly.
These attacks also have increased in depth. These have moved from the shallow, low hanging fruit to the more in-depth, complex attacks. With the number of new InfoSec tools engineered specifically to compromise systems and these being designed with a GUI for complete ease of use.
The attacks have also increased in criticality. The targets are involved with more criticality. The targets are involved with more critical operations for the organization. The attacks are becoming more concerned with these high-value targets, providing greater attention when compromised.
In InfoSec, as a general indicator, there have been and continue to be a significant shortage of qualified staff. In cybersecurity, this is much worse. There presently is and will continue to be a severe shortage of cybersecurity professionals throughout the country (Li, 2015). The issue isn’t merely with the number of staff members not being sufficient, but also with experience. The expertise of the staff members also is lacking (Cowley, & Greitzer, 2016).
One area this is specifically problematic is within the automotive cybersecurity field. With the new modules and operations, along with the new push for autonomous drive (AD) vehicles, there is a much larger need for cybersecurity professionals. This demand for the automotive cybersecurity professionals will continue to outpace the supply (Uchill, 2017).
The InfoSec staffing shortage is well-known and published in various mediums, and a challenge (ISACA, 2018). This shortage is not localized, but a global issue (Ollmann, 2016). Within this industry, 59% of cyber- and InfoSec positions are not filled (Zorz, 2018). The same study also noted 54% of respondents say filling an open position generally requires at least three months. This time frame experience is not acceptable.
To further this, 59% of the enterprises responded the organization experienced open security positions (Teitler, 2018). This is as of a limited time span. Over time, this has also been the case. ESG recently conducted their annual global survey focussing on the state of IT. From this survey, the number of organizations claiming a shortage of cybersecurity skills has increased since at least 2014 (Oltsik, 2018). This study indicated the obvious of filling these cybersecurity positions was more difficult in 2018 versus 2017 (Rio, 2018).
Expected Labor Force Shortage
As noted, the past and present shortage of qualified, experienced cybersecurity staff has been growing noticeably (Morgan, 2017). This is the reality for the industry. Looking forward, the shortage of staff is expected to be approximately 1.8M by 2020-2022 (Condon, 2018; Stolte, 2018; MacDonald, 2018; Gil, 2018; Kawamoto, 2017).
AI to the Rescue
The past, present, and future labor shortage is well-known. One discipline which may be of assistance is AI (Rio, 2018). While this is not a panacea and won’t be able to solve all the presented issues (Oliver, 2018), there is a clear benefit to the implementation (Scroxton, 2018). In general, AI will be able to increase human productivity (Reese, 2018). As the beneficial processes are experienced by the organization, the cybersecurity teams will achieve a greater level of understanding (Ismail, 2017). This greater depth of understanding will provide for a faster, better, and less costly cybersecurity program.
This understanding will provide for the upgraded modules to better identify threats, assess the risk, and apply the remediation protocol. Identifying threats has proven to be difficult due to the attack surface and data continuing to grow. There is a limited amount of resources being applied to the network, endpoint protection, applications, cloud services, mobile devices, and other points and processes. Assessing the risk involves correlating the external threat data with the business criticality. This activity along is well-suited for ML and AI applications, along with the added functionality AI provides for. This may be used to assess the security gaps and possible points of breach or compromise.
For the full implementation of AI into InfoSec, there has to be trust with the system. The humans require a full understanding and appreciation of the system, knowing the risk of an oversight or negligent decision is as close to a null as possible, with the awareness that there will be a rather insignificant level of potential error in the application. No human deiced without an error on some level over decades of work. This confidence in the system is vital (Stilgherrian, 2018).
For the trust to be in place, there need to be two pertinent factors in place. These are operational and data security (Hengstler, Enkel, & Duelii, 2016). The operational safety facet involves the technology itself being reviewed and approved per the appropriate level of governance. The data itself also has to be secure, and not modified. With these fully engaged, the issue of a lack of trust would be marginalized.
Another issue noted was the AI system would replace most of the humans, leading to mass unemployment. Users may have the visions from Hollywood of the machine taking over step by step. This will not be the case. The AI systems will work to supplement the work flows, not replace humans, freeing time which may be applied elsewhere on other projects (Rio, 2018).
There are many types of duties and work which AI is not able to do so (Skilton, 2017). Humans have the ability to generalize, reason through issues, and intuition, which would not be able to be fully replaced by code or a machine (Towers-Clark, 2018). From this, clearly the cybersecurity role is and won’t be targeted (Korolov, 2016).
Regarding job functions, there will be fewer jobs at risk of being affected from automation than previously thought (Vincent, 2018). There will not be the need for humans lessening as the new paradigm shift occurs. This potentially will affect, to the detriment, low skilled jobs. As an example, there have been in use for over a year AD bus lines on the campus of the University of Michigan-Ann Arbor. These naturally have a limited scope of use, however have been in place, are actively used, and are trusted by the students and University.
This will be used more to review threats originating from outside of the entity (Needle, 2017), for data protection (Help Net Security, 2018), to detect anomalies in traffic, and to create a more difficult environment for attackers to compromise (Osborne, 2018).
There is a level of faulty reasoning as the AI system will not be usurping the human’s authority and autonomy. The industry and civilization will still need human developers (Merritt, 2018). There is no question as to this use case. Humans will be needed for advancing to tools we have in place presently. Each business is unique in its parameters and application requirements (Allen, Filar, & Seymour, 2017). The humans will be needed to fulfill the varied requests and requirements in a creative manner. While creativity is one of the functions of AI in the long-term, the humans will still need to be directly involved with these endeavors.
The humans will be required to manage the contingencies involved with business operations, incident response, and many other areas. While computing this is a controlled process, the human aspect will be needed as creativity is a required function. The decision process is multi-faceted and still will require a human’s interpretation of events, and ranking in the decision-matrix.
ML and AI will assist with InfoSec as an effective assistant (Siwicki, 2017). The users are too numerous to enumerate, however the generalized uses are notable. These include, however are not limited to:
a. Analyzing the mass amount of data generated daily from operations, AD vehicles, and the myriad of other sources (Graham, 2018),
b. Improving accuracy, which would subsequently increase the humans confidence (Ashford, 2017),
c. Automating initial and secondary false positive review (Morgan, 2017), effectually freeing up a large block of time for the InfoSec team,
d. Improving predictive analytics to possibly identify pre-compromised targets, reviewing the requirements for the InfoSec team to remediate issues,
e. Force multiplying; as this will supplement the InfoSec team’s efficiency, allowing each member of the team to achieve more in different areas, and
f. Training, personalized for each staff member to assist them with their position, goals, and careers.
Supplement and Augment
AI will be a benefit to commercial organizations, consumers, and other involved. In the subject context, the benefits are numerous and too expansive to list for the InfoSec field. This, as the implementation evolves and increases in usage, will become more evident and show not only its promise, however also its potential to make the InfoSec worker more efficient, and multiply their efforts.
This shift in application will not be quick. This is a needed, as with this level of a technology shift, the steps need to be sure, planned, and executed within a governance model.
Allen, C., Filar, B., & Seymour, R. (2017, October 19). Harnessing the power of conversational interfaces in security. Retrieved from https://www.oreilly.com/ideas/harnessing-the-power-of-conversational-interfaces-in-security
Ashford, W. (2017, October 18). McAfee forges ahead with analytics, deep learning and AI. Retrieved from http://www.computerweekly.com/news/450428465/McAfee-forges-ahead-with-analytics-deep-learning-and-AI
Condon, J. (2018, May 8). Survey suggests younger generations, including females, may fill the cybersecurity talent gap. Retrieved from https://www.protectwise.com/post/survey-suggests-younger-generations-including-females-may-fill-the-cybersecurity-talent-gap/
Cowley, J.A., & Greitzer, F.L. (2015). Organizational impacts to cybersecurity expertise development and maintenance. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 59(1), 1187-1191. doi:10.1177/1541931215591185
Dawson, J. (2017, October 1). Training machine learning for cyberthreats. Retrieved from https://www.afcea.org/content/training-machine-learning-cyberthreats
Gil, L. (2018, March 22). The debate is over: Artificial intelligence is the future for cybersecurity. Retrieved from https://www.scmagazine.com/the-debate-is-ver-artificail-intelligence-is-the-future-for-cybersecurity/article/749603/
Graham, K. (2018, April 13). Managing cybersecurity in the age of artificial intelligence. Retrieved from http://www.digitaljournal.com/tech-and-science/technology/managing-cybersecurity-in-the-age-of-artificial-intelligence/article/519790
Help Net Security. (2018, April 4). Would automation lead to improved cybersecurity? Retrieved from https://www.helpnetsecurity.com/2018/04/04/automation-cybersecurity/
Hengstler, M., Enkel, E., & Duelli, S. (2016). Applied artificial intelligence and trust-The case of autonomous vehicles and medical assistance devices. Technological Forecasting & Social Change, 105(2016), 105-120. doi:http://dx.doi.org/10.1016/j.techforce.2015.12.014
ISACA. (2018). State of cybersecurity 2018: Part I: Workforce development. Retrieved from http://ww.isaca.org/Knowledge-Center/Research/Documents/cyber/state-of-cybersecurity-2018-part_1_res_eng_0418.pad?regnum=441968
Ismail, N. (2017, April 19). The role of AI in cyber security. Retrieved from http://www.information-age.com/role-ai-cyber-security-123465795/
Kawamoto, D. (2017, June 7). Cybersecurity faces 1.8 million workers shortfall by 2022. Retrieved form https://www.darkreading.com/careers-and-people/cybersecurity-faces-18-million-worker-shortfall-by-dd-id/1329084
Korolov, M. (2016, December 2). AI is coming, and will take some jobs, but no need to worry. Retrieved from https://www.csoonline.com/article/3146137/it-careers/ai-is-coming-and-will-some-jobs-but-no-need-to-worry.html
Li, C. (2015). Penetration testing curriculum development in practice. Journal of Information Technology: Innovation in Practice, 14, 85-99. doi:https://doi.org/10.28945/2189
MacDonald, R. (2018, June 18). Working through the cybersecurity skills gap. Retrieved from http://www.helpnetsecurity.com/2018/06/18/working-cybersecurity-skills-gap/
Merritt, T. (2018, May 3). Top 5: Tips for using AI in your business. Retrieved from https://www.techrepublic.com/article/top-5-tips-for-using-ai-in-your-buisness/
Morgan, S. (2017, June 6). Cybersecurity labor crunch to hit 3.5 million unfilled jobs by 2021. Retrieved from https://www.csoonline.com/article/3200029/security/cybersecurity-labor-crunch-tohit-35-million-unfilled-jobs-by-2021.html
Oliver, J. (2018, March 29). Introduction to machine learning (ML) for cybersecurity. Retrieved from http://www.cyberdefensemagazine.com/introduction-to-machine-learning-ml-for-cybersecurity/
Olmann, G. (2016, December 28). How artificial intelligence will solve the security skills shortage. Retrieved from https://www.darkreading.com/operations/how-artificial-intelligence-will-solve-the-security-skills-shortage/a/d-id/1327756
Oltsik, J. (2018, January 11). Research suggests cybersecurity skills shortage is getting worse. Retrieved from https://www.cso.online/article/3247708/security-research-suggests-cybersecurity-skills-shortage-is-getting-worse.html
Osborne, C. (2018, March 21). Artificial intelligence key to do “more with less” in securing enterprise cloud services. Retrieved from http://www.zdnet.com/article/artificial-intelligence-key-to-do-more-with-less-in-securing-enterprise-cloud-services/
Rio, A. (2018, June 21). Will AI help close the skills gap? Retrieved from http://www.clomedia.com/2018/06/21/will-ai-help-close-the-skills-gap/
Rossi, B. (2016, June 20). Bring the noise: How AI can improve cybersecurity. Retrieved from http://www.information-age.com/technology/security/123461b38/bring-the-noise-how-ai-can-improve-cyber-security
Sanders, A. (2015, October 29). Will AI be smart enough to protect us from online threats? Retrieved from https://techcrunch.com/2015/10/29/will-ai-be-smart-enough-toprotect-us-from-online-threats/
Scroxton, A. (2016, January 24). AI is moving towards acceptance in cybersecurity, says Check Point. Retrieved from https://www.computerweekly.com/news/252433705/AI-is-moving-towards-acceptance-in-cyber-security-says-Check-Point
Siwicki, B. 92017, June 29). Artificial intelligence is giving healthcare cybersecurity programs a boost. Retrieved from http://www.healthcareitnews.com/news/artificial-intelligence-giving-healthcare-cybersecurity-programs-boost
Skilton, M. (2017, February 13). Impact of artificial intelligence on cyber security. Retrieved from https://www.huffingtonpost.com/professor-mark-skilton/impact-of-artificial-inte_b_14702160.html
Stevens, G. (2018). How to approach AI-enhanced cybersecurity. Retrieved from https://www.scmagazine.com/how-to-approach-ai-enhanced-cybersecurity/article/761867/
Stilgherrian. (2018, August 1). AI can deliver ‘faster better cheaper’ cybersecurity. Retrieved from https://www.zdnet.com/article/ai-can-deliver-faster-better-chearper-cybersecurity/
Stolte, R. (2018, June 21). Filling the cybersecurity skills gap with artificial intelligence. Retrieved from http://journal.ahima.org/2018/06/21/filling-the-cybersecurity-skills-gap-with-artificial-intelligence/
Teitler, K. (2018, May 1). ISACA workforce development report highlights need for more & more qualified security employees. Retrieved from https://www.misti.com/infosec-insider/isaca-workforce-development-report-highlights-need-for-more-qualified-security-employees
Towers-Clark, c. (2018, April 21). AI will not take our jobs, but it will fundamentally change them. Retrieved from https://www.gigabitmagazine.com/ai/ai-will-not-take-our-jobs-it-will-fundamentally-change-them
Uchill, J. (2017, July 30). Demand for automotive cybersecurity pros outpaces supply. Retrieved from http://thehill.com/policy/cybersecurity/344539-demand-of-automative-cybersecurity-pros-outpaces-supply
Vincent, J. (2018, April 3). AI and robots will destroy fewer jobs than previously feared, says new OECD report. Retrieved from https://www.theverge.com/2018/4/3/17192002/ai-job-loss-predictions-forecasts-automation-oecd-report
Zorz, Z. (2018, April 17). Tech-skilled cybersecurity pros in high demand and short supply. Retrieved from https://www.helpnetsecurity.com/2018/04/17/cybersecurity-pros-high-demand/