I think there are four main trends that will play out in the field of information security in the next 20 years.
- (2021-2030) A Surge in Demand for InfoSec people will result in many more professionals being trained and placed within companies, likely using more of a trade/certification model than a 4-year university model.
- (2026-) Cyberinsurance will ascend as the primary mechanism for making cybersecurity-related product and service decisions within companies.
- (2030-) Automation & AI will start to result in fewer jobs filled by high-skill people as opposed to many jobs filled by lower-skilled workers.
- (2035-) Dueling Algorithms will become the main way that top-tier, large organizations both attack and defend.
Let’s look at each of these in more detail.
1. A Surge in Demand
(ISC)2 says there were over 4 million too few cybersecurity people in 2019.
This one is simple and everyone know’s it’s happening already. The world’s small businesses, hospitals, schools, and local governments are starved for cybersecurity talent, and there aren’t nearly enough people to fill the roles.
70% of cybersecurity professionals claim that their organization is impacted by the cybersecurity skills shortage.
ESG and ISSA
I think we need a national program to address this.
This gap between need and skilled people is even more acute due to the rise of the ransomware threat, and the world is going to have to respond with more people who can at least do the basics, even if that’s through short certification programs.
2. Cyberinsurance Will Ascend
Jeremiah Grossman and I have been talking about the rise of cybersecurity insurance for years now. I wrote my first big piece on it in August of 2015, and I still think it’s the future.
In short, it’s not smart to bet against insurance. It’s an industry that worships data because their profits depend on it, and that’s why they’ll be the first to be able to tell us what works and what doesn’t work in security.
Not only will that result in industry expertise—and eventually actuarial data—but they’ll be massively assisted by ever-improving AI that will be able to smell hackable organizations the way it detects ideal customers today.
Insurance companies will perform massive, centralized data aggregation exercises as part of their setup process for customers, and they’ll use that as input into their algorithms that determine risk of
3. Automation (powered by AI)
Nobody knows when this crossover will happen, but I think it’ll be between 10 and 15 years.
At some point, there will be a crossover between the increased demand for trained cybersecurity people and the rising efficiency of security technologies and security automation—assisted by more artificial intelligence.
New IT platforms will require less configuration, have more security built in, will include continuous asset management, as well as continuous configuration monitoring. And when something goes wrong, many of the issues will be fixed automatically or with minimal need for human interaction.
Think cloud security products, plus 15-years of advances.
In short, better platforms, with better security controls, all monitored and managed with automation and AI. There will still be a need for people to run these systems, but it’ll be fewer people who are specialists in the large, all-in-one platforms like AWS, Azure, or whatever is on top then.
4. Dueling Algorithms
The final stage of this is both tangible but also sci-fi, and essentially comes down to competing infrastructure that does:
- Continuous Inventory
- Continuous Security Monitoring
- Automated Changes When Issues Are Found
- Notifications to Humans When Automation Won’t Work (Prioritized Curation)
This model is also relevant for large enterprises.
The best example of the need for this is national level security intelligence, reconnaisance, and vulnerability assessment.
Every country will have massive collections of internet and internal-facing systems that are continuously scanning and monitoring everything it owns. It will then be using AI to rate the risk level of everything it touches, and if it finds something dangerous it will be able to either 1) remediate it immediately, or 2) notify a human team for investigation and follow-up.
Countries that maintain offensive cyber-capabilities will have this same type of infrastructure running against all their adversaries, and it’ll be doing the same thing in reverse. It’ll be constantly discovering their attack surface, indexing it, and observing it for weaknesses—all using AI.
Issues that are discovered will either be auto-exploited if possible and/or if the issue is time-sensitive, or the discovery will be prioritized and sent to a human team for additional scrutiny.
The future will be all about the best crawlers paired with the best AI.
So the cyber battleground will become a set of collosal discovery/monitoring infrastructures, which are working as close to realtime as possible, all being fed into AI that never sleeps. And that infrastructure will be fed into elite teams of humans ready to work on whatever the AI finds.
And this is for both attack and defense.
So the more thorough your automation, the faster it runs, the better the algorithms you have for detecting weaknesses and exploiting them using automation, and the better your human support teams—the better off that entity will be.
That’s the distant future of InfoSec, with humans playing less and less a part in the equation as time goes on.
Here’s my talk on this topic at DEFCON in 2020.
And this isn’t fantasy. I participate in the OSINT/Bounty/Recon scene and many of us in the field have been working on this stuff for years already, minus the AI which is still a bit early. But the idea of continuously monitoring—and even taking automatic action upon things that are discovered—is already happening in the infosec community, so you know it’s happening at the state level as well.
Ok, fine, but what do I do to get ready?
Well it depends who you are. If you’re a small to medium-sized company, find someone or some product that can get this type of infrastructure going for you.
If you’re an individual practitioner, become an expert in these types of infrastructure. If you want to ride the human work wave in InfoSec as long as possible, learn the big platforms like AWS, Azure, etc., with a focus in securing them.
And make sure you are good with data, which really means knowing how to code and use APIs. I recommend strong Linux and Python skills, with Go as a nice to have.
- I think there are four big trends for the future of infosec
- A Surge in Demand, The Rise of Cyberinsurance, The Rise of Automation, and Dueling Algorithms
- To survive as a human for as long as possible, become an expert in the big unified platforms
- Know how to get data in and out of APIs
- Keep in mind that trend #1 will be counterbalanced by the growth of people who need basic information security help. The question is when those two trends cross over.
- Image from information-age.com.
- If you want maxiumum safety, learn some data science and lift your data game even higher.