Gomez-Sanchez and Turpin are speaking at the CSO Cybersecurity Awards & Conference, May 11-13. Reserve your place. And then there’s AI. When it comes to security, AI may help partially offset cyber skills shortages by automating certain tasks, but it also ramps up cyberattack volumes and expands the organizational attack surface, without fixing CISOs’ ongoing talent pipeline problems. In fact, AI may end up worsening the structural skills shortage.”You can have 100, 1,000, 10,000 instances of AI doing the work of enabling attacks at much greater scale, including against smaller, less protected targets because they’re now within reach because the barrier is lower,” says Turpin.This increases the pressure on defenders, putting more pressure on the workforce challenge, even as AI helps automate some tasks. But it’s not going away and will only increase in importance for both attackers and defenders.”I’m encouraging my teams to look for opportunities to leverage AI and look at how our vendors are leveraging AI,” he says.”This is what we’re going to be dealing with five years down the road. It’s going to be the center of technology so we can’t afford not to learn this,” he adds.
Reducing the organizational risk of skills shortages: Skills shortages are more than just an inconvenience; they pose organizational risks on par with threats and malicious attacks, says Gomez-Sanchez, who views them “much the way that you think about threat actors and vulnerabilities.””Your ability to execute is limited by the amount of people you have to actually do the work,” he explains.As a result, Gomez-Sanchez encourages CISOs to view the skills gaps and talent shortages as a first-class security risk that needs to be managed as a KPI for the security function. “Our ability to attract and retain good talent is a major measure of capability,” he says.Being structural rather than temporary, skills gaps place significant pressure on CISOs’ sourcing decisions. “Security people may choose to do things differently, especially as it relates to insourcing or outsourcing because of the talent shortage,” Gomez-Sanchez notes.By the same token, staffing constraints can shape architecture and tooling choices. For example, Gomez-Sanchez adds, a host of best-of-breed point tools instead of a more integrated platform usually requires more headcount and expertise to stitch together.Gomez-Sanchez also gives the example of adopting a single hyperscaler versus a multicloud strategy and the increase in human workload and skills required to secure it. “Ultimately, you want to leverage native controls within the hyperscaler, and that requires you to have specialized skills in each one of those,” he says.CISO have also looked to automation to absorb some headcount pressure, but doing so isn’t always a simple fix. Gomez-Sanchez sees agent-enabled automation as a means for providing more firepower for developers and analysts, among other roles. But the reality of agentic AI capabilities for cybersecurity remains a work in progress.What’s clear is that persistent talent shortages are forcing CISOs to rethink hiring and training as one of numerous ways to reduce the risk that comes with the skills gap. This entrenched problem, and CISOs’ attempts to address it, will also have a significant impact on the decisions security leaders will make regarding cyber architecture, platforms, processes, and AI use ahead.The cyber talent gap is putting increasing pressure on the cyber agenda, and your peers are already adapting. Hear Juan Gomez-Sanchez, Keith Turpin, Jen Spencer, and other leading CISOs share what’s working at the CSO Cybersecurity Awards & Conference, May 11-13. Secure your seat before it fills up.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4166157/cisos-step-up-to-the-security-workforce-challenge.html
