Cybersecurity's Human-Machine Paradox
As we automate security, we change the value that humans bring to the table.
Blog Post
July 17, 2018
When it comes to the coming machine takeover of millions of human jobs (a recent study found that, by 2030, 75 to 375 million workers will need to switch occupational categories due to automation), cybersecurity practitioners are in a tough spot. On the one hand, cyber professionals want the machines they use to become smarter and better, making their jobs easier and making everyone safer. On the other hand, that kind of progress raises a question: Will today’s human cybersecurity jobs be the domain of machines in 2030? The answer is nuanced, so let’s examine it.
The automation trend
Cybersecurity professionals (current and in training) have long heeded advice on becoming intimately familiar with the machines that drive business—learning security tools, protocols, and tradecraft to protect and monitor those systems. People are investing tremendous time and energy into understanding and working with these machines. Yet, this same machinery is rapidly becoming more efficient in securing itself. And here lies the paradox: We’re tuning the machines to gradually do security on their own, yet by doing so, we’re reducing (or changing) the value we as humans bring to the equation. For some, this leaves professionals questioning how to stay relevant (more on that below).
Between the launch of “planet-scale,” AI-driven cyber solutions from Alphabet’s Chronicle to the widespread adoption of orchestration and automation platforms, we’re seeing an inevitable shift: Responsibility for certain data-heavy, high-volume, and repeatable security tasks (e.g., basic incident triage and remediation) are being transferred from the fallible human to the higher-assurance machine. As soon as 2020, Gartner reports that 15 percent of organizations will be using automation as part of normal security operations (up from one percent in 2017).
This movement is seeking to reduce the friction of human interference—and for good reason. As Oracle founder Larry Ellison said, “It can't be our people against their computers—we're gonna lose that war. It's gotta be our computers versus their computers.” So, as we ride this wave of increasing automation, where does this leave the human in the cybersecurity discipline? As machines become more capable, what jobs and skills remain uniquely human?
Let me be clear: there will be a lot of opportunity left for humans for decades to come.
Since cybersecurity is a game of agility and ingenuity, we need fresh ideas. Humans generate those. Machines can’t. Sample jobs that will continue to need a human touch might include:
Strategy: Analyzing how a business is changing, and imagining what its cyber strategy should therefore look like
Threat Analysis: “Hunting” through complex data stores to connect dots around what an adversary is seeking to do in an environment, and applying business context
Architecture: Blueprinting original concepts for how to deploy security infrastructure for maximum impact and efficiency
Continuous Improvement: Synthesizing test and exercise results to develop lessons learned and improvement plans
Organizational Change Management: Obtaining stakeholder buy-in and advocacy for evolving the business to a cyber-secure culture
Program Management: Deciphering investment priorities, allocating budgets, and tracking progress
Machines aren’t replacing humans in cybersecurity, but rather displacing them—pushing them to evolve their skills and take on jobs that serve as important enablers to the machines.
Timeless cybersecurity skills
What’s special about the jobs listed above is that they’re not machine-driven. While machines might support them, these jobs rely on innately human skills centered on the “Four Cs”: critical thinking, communication, collaboration, and creativity. These are the skills that change hearts and minds, inspire a following, devise compelling technical solutions, and—ultimately—change the world.
The Four Cs are timeless skills that don’t get nearly enough attention in the cybersecurity field—either on the job or in formal education forums. As you move up the ladder or simply seek to exert more influence, you’ll find these are the “make or break” skills that hold you back or propel you forward. Today’s cyber professionals can’t afford to underestimate the value of learning and mastering the Four Cs. Here are some example applications of these skills:
| Skill | Definition | Example Application to Cyber |
|---|---|---|
| Critical Thinking | The ability to reason effectively, use systems thinking, make judgments and decisions, and solve problems | Synthesizing multiple variables about the environment (e.g., threats, critical assets, capability maturity) to determine where to apply enhanced security controls |
| Communication | The ability to (a) clearly articulate thoughts and ideas using oral, written, and nonverbal methods and (b) listen effectively to decipher meaning | Presenting an engaging, emotion-grabbing story to the board of directors on how security must enable the business |
| Collaboration | The ability to work effectively and respectfully with diverse teams, exercising flexibility and willingness to make compromises to accomplish a common goal | Working with business application owners to understand specific security requirements and identify custom needs or exceptions for local operations |
| Creativity | The ability to employ a range of idea creation techniques, test and refine concepts with other individuals, and implement innovation in practice | Working with a team to understand stakeholder sentiment on the cybersecurity value proposition and devising ways to influence skeptics |
While it’s vital to maintain technical acumen as the cyber landscape evolves, it’s even more important that we invest in developing the Four Cs. For those with extraordinary cyber career aspirations, think hard about the skills you’re developing. Don’t just develop the hot skills of today; also build specific skills that will endure. Whether you’re currently a senior executive, a mid-level SOC analyst, or a high schooler aspiring to enter the field, know that investing in these skills could mean the difference between having an amazing professional experience (your job) and losing out to a machine.