Machine learning and AI

The Impact of Automation on the IT Security Job Market

Frank Siemons
October 26, 2016 by
Frank Siemons

The growing influence of automation on daily life is noticeable everywhere. The news is full of job-cut announcements, often justified by automation projects. Self-serve cash registers at supermarkets have become the norm in the west. Physiotherapists pull out exercises for common issues from an automated computer program. These are examples of tasks that were mostly manually performed before. Now automation has at least partially taken over. Already highly automated systems, however, are also getting more complex and more intelligent. The first practical use cases for Machine Learning and broader; Artificial Intelligence, have already been put into production by big organizations such as IBM, Facebook, and Google.

Learn Cybersecurity Data Science

Learn Cybersecurity Data Science

Build your skills using machine learning and other cutting-edge tools to perform various cybersecurity tasks.

Security Automation

The IT Security market is one of the front runners in the automation race. It is being flooded with security automation products from many vendors. The hottest topic in this market at the moment is Machine Learning. This is often confused with the even more interesting sounding term Artificial Intelligence, but that is not correct. Machine Learning is a more applicable, practical subset of Artificial Intelligence. Many products that are marketed with the Machine Learning or AI terms are actually traditional (correlation) rule-based tools such as SIEMs or behavioral analytics tools. However, looking through this mist of sales pitches and promises, it is clear to see that there are some genuinely interesting products available now and even more are on their way, which will eventually revolutionize the world of IT Security.

Current products

As mentioned there are many products on the market that partially or fully automate some predictable, routine tasks. They focus on easily repeatable processes that never really deviate from their expected workflow. The most common reasons to automate these tasks are a requirement for fast response times, cost-reduction and the avoidance of human errors.

An example would be a partially automated endpoint antivirus product. If the detection product picks up a malware infection on a machine and also immediately isolates the host from the rest of the network, it prevents a (lateral) spread of the malware within seconds and without the costs and delays associated with human intervention. Automation also comes with some, often complex issues, however. What is that detection was a false positive on the laptop of the company CEO. The CEO would find him or herself without a system to work on and might lose important data. This is a risk that cannot be ignored. It means the automation processes quite often need to be limited in scope and a lot of exceptions to the rule need to be made. Automation takes on some of the work, but human intervention is still required for the odd incidents that do not fit the automation mold.

There is also a need for automation and security experts to develop, monitor and maintain the automated system itself. Who else would put the logic in that the automation leans on and who would keep it up-to-date with the organizations' ever changing profile?

Another example of recent developments in this field is SIEM automation add-ons such as HP's ArcSight User Behaviour Analytics (UBA) module. This can be seen as an advanced, more intelligent correlation engine that combines more and better data inputs to do some of the analytics before presenting them to the analyst. Again, some of the work is automated, but human actions are often still required at some point. In the end, much automation is simply done using complex scripts, via many if-then-else statements. There are many more opportunities for improvement. The real benefits of automation to organizations will show, once no or hardly any human action is needed to complete the automated process.

Future development

The future is normally hard to predict. However, when it comes to IT Security Automation, it is easy to see this is only headed in one direction: forwards. There is a lot of investment in this sector, and there are many reasons why. It is hard to find skilled IT Security staff globally. This has led to a growth in wages, which is a real issue for those employers lucky enough to hold enough staff. The lack of manpower forces organizations to automate certain tasks and the savings made from the normally high wages pay for the development costs. Another reason is the demand on a reduced Time-to-React. The risks of a serious breach have significantly increased due to increased network connectivity and reliance on data availability and confidentiality. This means an attack needs to be detected and if possible, prevented or mitigated within seconds. That is very hard to achieve when any form of human interaction is placed in the process chain. Imagine critical management and security staff being notified 30 minutes after an outage or major breach detection due to the need for the detecting analyst to fill out all the digital "paperwork" first. That just is not acceptable anymore in an online world where 30 minutes could cost an organization millions.

Researchers and developers have been focussed on replacing that expensive and relatively slow traditional "brain" for a digital version by using machine learning technologies. A machine learning system would not just run through a set of preconfigured rules like a series of if-then-else statements, it would build its own logic using complex algorithms.

A very telling example here is a development from IBM which they announced early 2016: "a new, cloud-based version of its Watson cognitive technology is being trained to help detect cyber-attacks and cyber-crimes." They see a big market in this, based on a reduction in the workload of mundane tasks currently sitting with security analysts, so these analysts can focus on more complex issues. It is easy to see that if (when) this product becomes more "intelligent" the lower skilled security analysts are going to find it harder and harder to compete with this automated system and to justify their existence within the organization. Many other, often smaller and very young vendors such as Darktrace and SparkCognition are working on AI based detection and protection systems as well. A more recent and controversial development is the creation of AI for cyber-attack purposes. This was brought to the table during a DARPA competition at BlackHat 2016 for instance. It demonstrated that an offensive AI can be used for superfast penetration testing, even capable of automatically developing patches and fixes on the fly. Just like any Penetration testing tool, this will eventually end up in some dubious hands as well of course. This would both increase the need to react fast to an attack and increase the complexity of such an attack.

Impact on the job market

It will be interesting to see what impact all these developments will be having on the IT Security Job market. In fact, they already have an impact. Where over the last few year the lower tier analytics roles were more and more outsourced to third parties, some are starting to be replaced by automated systems. As mentioned, the lack of available staff, the increasing costs and the demand for shorter response times, have made this inevitable.

When looking at the future of the IT Security job market, it is important to look at the broader, future AI impact as well. Traditionally it was thought it would be mostly the lower skilled jobs that were to be impacted by (AI) automation, such as factory workers and call center and retail sales staff.

More recently, however, it is through that (especially) some of the higher skilled occupations will be relatively easy to automate and will provide the fastest return on investment. Being good with your hands might not be a bad thing within the job market of the future. That accountant or family physician could have a harder time staying relevant to the needs of the future employment market, simply because of the increasing complexity of the work and the higher demand for specialized staff.

Bringing this back to the IT Security market, those same thoughts could be applied there. Attacks have become much more complex, and defense strategies have followed that same path. The Incident Response Time expectancy has also been reduced, sometimes down to minutes, which is something a human analyst can hardly deliver.

This means that while AI is still in an early development phase, the lower tier 1 and tier 2 jobs might be under threat, but eventually some of the higher skilled and more specialized positions will be affected as well.

Learn Cybersecurity Data Science

Learn Cybersecurity Data Science

Build your skills using machine learning and other cutting-edge tools to perform various cybersecurity tasks.

How to adapt and even benefit

Is there no hope and no future within the IT Security sector for current and prospective workers? There will actually be plenty of opportunities. The key is to adapt and grow in the right direction. That is a skill a good security professional needs to have anyway, but due to the inevitable changes in the job market, that will be more and more important. Just like when a VHS repair person or a photo development lab employee needed to reskill in the 1990's, the security professional will need to diversify soon. The IT Security sector will simply require a different skillset. There will be a greater need for Data Scientists that also understand Security for instance. Someone will need to develop and maintain these AI based systems after all. Why not take a study into that direction? Another option is simply to upskill. These AI based detection technologies might pick up a large part of the work within an organization, but they are not perfect. Previously unseen Incidents might show up that fall between the "automation cracks" and could still need human analysis on a high level. The environment will change. The main thing is to keep an eye out for what is happening. Embrace it, enjoy it and adapt over time.

Frank Siemons
Frank Siemons

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia.

Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons