Security experts will tell you that humans are the weakest link in the cyber security world. The facts speak for themselves, over 90 percent of security incidents are due to human error. This is when people do things like click on a bad link, open an attachment which is laden with malware or fail to change default passwords. I’d argue, that humans must be our greatest strength when defending ourselves from cybercrime and they’ll achieve this by augmenting their security intelligence with technology.
This augmented intelligence will come in a few ways, with cognitive technologies and artificial intelligence (AI) already helping consumers spot phishing websites and better filter spam. The most pressing need for augmented intelligence really is needed in the security operations center where teams of analysts pour over hundreds of thousands of security events per day looking for the real threats to businesses. In fact, our research has shown that the average company deals with 200,000 of these events per day.
But here is the problem, there is an expected shortage of over 1.5 million professionals to fill these jobs in cybersecurity. That means that companies can’t hire enough people for good paying jobs with an average salary of over $90,000. Couple that with the fact that cybercrime costs the global economy $445 billion each year and we have a perfect storm brewing. While cybercriminals get better at their craft, the businesses defending against them literally have empty seats on the other end of the wire.
There has been plenty of debate on the role artificial intelligence will play in our future. Some point to the technology as a job killer. In the world of cybersecurity, AI is going to be a job multiplier and it will create opportunities for “new collar” positions in cybersecurity. I see prioritizing these types of positions as one way to overcoming the skills shortage and making sure companies and governments can properly defend themselves.
What do I mean by new collar jobs? Essentially, these are jobs that prioritize your skills, knowledge and willingness to learn over the degrees you earned. That means you don’t necessarily need a four-year degree in computer science to make a difference in a security operations center. There are some essential elements to a cybersecurity professional that can’t be taught in a classroom. These include an investigative curiosity, a passion for problem solving, strong ethics and an understanding of risks. People with these skills, like new collar cybersecurity professionals we are hiring at IBM, can be taught the necessary technical skills and much of this learning can be done on the job, in community college classrooms, and through modern vocational and skills education programs.
At IBM, we see a new education model called P-TECH as one way to train these new collar workers for a job in cybersecurity. These programs provide public high school students in grades 9-14 a clear path to post-graduate opportunities in fields aligned with skills American employers are looking for. They combine the best of high-school, community college, hands-on-skills training and professional mentoring.
Once these graduates enter the workforce, AI enters the equation to help them get a fast start. For example, it would make it possible for junior analysts to have the ability to investigate a new malware infecting mobile phones of employees. So, how does this work? Essentially, AI helps to augment the analyst’s daily activities by acting as an assistant. It would quickly research the new malware impacting the phones, identify the characteristics reported by others and provide a recommended remediation.
The way analysts work now is they need to go to dozens of databases, blogs and other sources of data to research the malware. Then pick it apart, talk to colleagues and figure out how to best remove it from the mobile devices. Much of this data is hard to find and wastes valuable time. To highlight the amount of security information available today, there are about 60,000 security blogs per month, and 10,000 security reports per year. We estimate that organizations are spending $1.3 million a year dealing with false positives alone, wasting nearly 21,000 hours.
Even if the industry we’re able to fill all 1.5 million of those projected job opening in cybersecurity by 2020, we still would have a skills shortage in cybersecurity without AI. The threat landscape is changing rapidly, with the sophistication and numbers of threat variants becoming too great to stay abreast of, using traditional approaches. The repercussions of incidents and breaches are increasing, with the financial costs and risks growing rapidly. This is why IBM is investing in systems like Watson for Cyber Security to help bring AI to cybersecurity. We see the technology not only commercially important but an important progression in the way people will work and companies will defend themselves.
As I emphasized today in remarks before the Senate Commerce Committee, the U.S. needs to maintain its leadership in AI research.
IBM will vigorously advocate for legislation to better match U.S. career and technical training with new collar career paths in cybersecurity and other fields. We also need a stronger pipeline of students overall to complement these new collar positions. This will come when universities modernize their degree programs to include security as a major. IBM is putting our own recommendation into action. Since 2015, new collar cybersecurity professionals have accounted for around 20 percent of our security business’ U.S. hiring.
AI is the advantage commercial businesses and governments currently have over hackers and now is the time to use the technology to shift the balance in power back to the good guys. Creating opportunities for people to work side-by-side with machines is the only way we’re going to successfully do it. Let’s get creative in creating those opportunities because our current framework is not prepared to scale at the rate we need it to.
Caleb Barlow is the vice president of threat intelligence for IBM Security.
The views expressed by contributors are their own and are not the views of The Hill.