Cybersecurity

The cybersecurity industry is constantly evolving because of technological advances, labor issues, new security threats, and other industry developments. For example, the emergence of quantum computing will further change the industry. Quantum computing is a type of advanced computing in which quantum computers are used to solve challenges of massive size and complexity that cannot be solved by the computing power of traditional computers. The World Economic Forum says that quantum computers will “provide transformational opportunities but could threaten the security surrounding everyday computational tasks and sensitive data. Mitigating the cybersecurity risks from quantum computers will require organizations to implement quantum-secure cryptography over several years, although there are steps that can be taken now.” Here are other noteworthy trends and issues in cybersecurity.

Artificial Intelligence's Major Effect on Cybersecurity

Artificial intelligence is technology that can be programmed to make decisions which normally require human thought and act independently of humans. It has been around in some form for decades, but recent technological advances (including the creation of generative AI) have increased its uses and effectiveness. Generative AI (e.g., ChatGPT, Bard, DALL-E) is a form of machine learning algorithms that can be used in a variety of ways, such as:

• creating new content (including text, simulations, videos, images, audio, and computer code)
• helping developers write code and identify errors more efficiently
• more quickly identifying the solutions to cybersecurity problems
• analyzing and organizing vast amounts of data and other information.

AI has both negative and positive uses. “AI provides criminals with an autonomous and algorithm-driven toolkit to hack systems and hide their tracks quickly, without much in the way of manual input,” explains Chester Avey in “The Future of Cybersecurity in an AI-Driven World,” an article in Tech News. Cybercriminals and other bad actors can use AI for spear phishing, forgeries (including deepfakes and the creation of other types of synthetic media), password cracking attacks, and generating malware at a faster pace than it can be detected.

On the other hand, AI is already used in the cybersecurity industry to save time, money, and identify and respond more quickly to threats. Here are some ways that AI is used for cyber defense:

• predictive analytics (to identify potential vulnerabilities quickly and autonomously)
• incident response (to increase the speed of threat identification and containment)
• more powerful encryption (future-proofing systems with multi-factor authentication such as biometrics and one-time passwords)
• access management (screening users in real-time and validating identities using facial recognition software)
• network monitoring (AI algorithms are used to identify malicious activity such as distributed denial-of-service attacks)
• automating security tasks to save time (a study by IBM found that “AI-powered risk analysis can produce incident summaries for high-fidelity alerts and automate incident responses, accelerating alert investigations and triage by an average of 55 percent”)

Expertise in AI has become a sought-after skill for cybersecurity professionals. In 2023, artificial intelligence/machine learning ranked amongst the top five in-demand skills by ISC2 after not even making the top 10 in-demand skills in 2022. “In the coming years, this skill has the potential to spike in demand as AI matures and influences various aspects of cybersecurity threats and defense,” according to ISC2. A noteworthy finding by ISC2 is that 84 percent of study respondents said that they had no/minimal knowledge or only some/moderate knowledge of artificial intelligence/machine learning. The skills shortfall suggests that there will be excellent demand for cybersecurity professionals who have expertise in AI/ML (especially in generative AI)—or who are willing to learn how to use it.

Although AI may replace the need for cybersecurity workers to perform basic monitoring and response tasks, skilled professionals will still be needed to supervise, analyze, revise, and optimize AI-powered processes. They’ll also be needed to develop new software that can be used in threat detection and response.

Rise in Cryptocrime

Cryptocurrency is a digital cash system that is increasingly being used as a substitute or complement to traditional currency. Cryptocurrency payments are not processed through a central banking system or trusted third party, but are sent from payer to payee. Decentralized finance (DeFi) is an emerging model for organizing and facilitating cryptocurrency-based transactions, financial services, and exchanges. “Rapid growth in the use of DeFi services is creating a new soft spot for global financial systems, fostering new methods of cryptocrime for criminals whose rug pulls’ and other attacks will…cost the world $30 billion in 2025 alone,” according to the 2022 Official Cybercrime Report, from Cybersecurity Ventures and eSentire. This total is nearly twice the $17.5 billion in 2021.

Zero Trust

Zero trust is the concept that a computer network, other technology, or even physical structures cannot be trusted by default and that they are always at risk from internal and external threats. A zero trust security model verifies and authorizes every connection to ensure that it meets the conditional requirements of the organization’s security policies.

CompTIA says that the emergence of cloud computing and the increasing use of mobile devices has changed long-time cybersecurity approaches. “As organizations grappled with the paradigm shift, part of the difficulty was in defining a comprehensive approach that informed a wide range of cybersecurity decisions,” according to CompTIA’s 2022 State of Cybersecurity report. “Zero trust emerged as the answer to that dilemma,” according to the report. [It] “is starting to move from broad policy into tactical processes. For several reasons, adoption of zero trust will not take place overnight. First and foremost, zero trust represents a drastically different way of thinking about cybersecurity. Rather than viewing cybersecurity as one of many components within the IT function and simply investing in hardware or software, companies must now view cybersecurity as an organizational imperative, extending beyond technology products into decisions around workflow and workforce.” Only 21 percent of cybersecurity professionals who were surveyed said that their organizations had a zero trust framework in place, but this percentage is expected to increase rapidly as a result of the increasing frequency, severity, and complexity of cyberattacks.

Rising Cybercrimes in the Metaverse and Other Areas

The metaverse is an emerging 3–D-enabled digital space that uses converging technologies (e.g., artificial intelligence, augmented and virtual reality, digital twins, blockchain technology, cloud computing, social platforms, e-commerce, Internet of Things) to create a lifelike experience online. It can be used by people to have fun, engage in commerce, meet business and other goals, and for other purposes. The data analytics firm Gartner estimates that 20 percent of people will spend at least one hour per day in the metaverse by 2026. Annual revenue in the metaverse has reached $1 trillion—making it a top destination for cyberattacks in the next few years.

“The metaverse represents an area where consumer threats will be different from years past,” says Anna Larkina, a security expert at Kaspersky, who was quoted in an article about cybersecurity threats at the company’s Web site. “Fake, malicious VR and AR apps, as well as privacy risks and potential abuse associated with this new frontier, will account for threats we haven’t necessarily seen before,” she says.

In addition to the metaverse, there have been an increasing number of cyberattacks and other cybercrimes against people who use gaming and streaming services, fans and teams at large sporting events, and users of health and personal fitness apps. Additionally, Kaspersky predicts that cyberthreats will increase in the areas of online education platforms and learning management systems. “The trend is not new, but the relevance of concomitant threats will grow along with the growth in digitalization: trojanized files and phishing pages mimicking online educational platforms and videoconferencing services,” according to “Consumer Cyberthreats: Predictions for 2023,” at the Kaspersky Web site.

Worker Shortages Will Continue

Nearly 1.5 million cybersecurity workers were employed in the U.S. in 2023, according to ISC2. But the industry association reports that there was a shortage of more than 1.3 million workers in the United States, and shortages exist worldwide. ISC2 estimates that the global cybersecurity workforce gap was nearly 4 million workers in 2023. Industries reporting the highest levels of staffing shortages included (in descending order): education, government (non military), nonprofits, military/military contractor, aerospace, healthcare, automotive, and energy/power/utilities. Skills gap factors cited by ISC2 survey respondents included:

• unable to hire qualified workers
• high turnover (due to low wages/lack of promotion opportunities)
• no budget to hire new staff
• no emphasis at the employer to train non-security IT staff to become security staff
• people with these skills recently quit or were laid off, and no new hires have been made

Employers are taking a variety of steps to address worker shortages, including increasing compensation and benefits, reimagining job requirements and expanding employment pipelines to attract IT professionals without cybersecurity experience and people who have no or little IT experience, creating and improving internship and other experiential learning opportunities, and launching programs to educate underrepresented groups (e.g., women, minorities) about educational requirements, potential career paths, and the benefits of working in the field.

Large tech companies—such as Microsoft, Google, HPE, and IBM—are creating or improving training initiatives and educational pipelines that make it easier to enter the industry. Noteworthy programs include Cyber Million (https://www.immersivelabs.com/cybermillion) from Immersive Labs and Accenture, and the SANS Diversity Cyber Academy (https://www.sans.org/cyber-academy/diversity-academy).

Improving Ethnic Diversity

The ethnic diversity of cybersecurity staffs in the United States, Canada, the United Kingdom, and Ireland is improving. In these countries, 70 percent of cybersecurity professionals age 60 and older are white men, according to the ISC2 Cybersecurity Workforce Study, 2023. But just 37 percent of cybersecurity professionals under 30 are white men. Study respondents placed a significant value on workplace diversity. Sixty-nine percent of respondents said that having an inclusive work environment is essential for team success. Fifty-seven percent said that diversity, equity, and inclusion initiatives will continue to increase in importance for their cybersecurity team over the next five years.

Shifting Pathways into Cybersecurity

Eighty percent of cybersecurity professionals believe that there are more pathways into cybersecurity than existed in the past, according to the ISC2 Cybersecurity Workforce Study, 2023. Here are some major trends from the study:

• The number of applications from people with non-cybersecurity technical backgrounds is increasing, and employers are changing their hiring requirements to attract more candidates from this group.
• Employers are increasingly trying to recruit technical people from within their organization to move to cybersecurity roles.
• The number of new hires who participated in a cybersecurity apprenticeship or internship before their first job is increasing.
• More older workers are deciding to enter the field. The percentage of new entrants into cybersecurity professions who were age 39 or older grew from 37 percent in 2021 to 48 percent in 2023.

Emerging Skills Gaps

Although there’s a shortage of 4 million cybersecurity workers worldwide, some companies are shedding workers and cutting budgets in order to improve their financial bottom lines. As a result, ISC2 and other industry organizations are reporting increasingly critical workforce skills gaps. Sixty-seven percent of cybersecurity professionals who were surveyed for the ISC2 Cybersecurity Workforce Study, 2023 reported that their organization “has a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.” Ninety-two percent of respondents said that skills gaps existed in their organizations. The most-common skills gaps were (in descending order) cloud computing security, artificial intelligence, zero trust implementation, and penetration testing.

Increasing Opportunities for Women in Cybersecurity

Worldwide, women comprise only 26 percent of cybersecurity professionals under the age of 30, according to the ISC2 Cybersecurity Workforce Study, 2023. This is much lower than their percentage in the workforce.

Factors that have limited the number of women in the field include low enrollment levels in STEM education fields (a major pipeline for cybersecurity workers), gender discrimination and sexual harassment, lower earnings than men, a lack of female mentors and sponsors, a perceived lack of work-life balance, and a lack of advancement opportunities.

Women in Cybersecurity, Breaking Barriers Women in CyberSecurity, Latinas in Cyber, Women’s Society of Cyberjutsu, Association for Women in Computing, National Center for Women & Information Technology, other industry organizations, and some large cybersecurity companies are working to increase the number of women entering the field by offering career mentorship programs, scholarships, internships, and other programs and resources. The World Economic Forum reports that 75 percent of employers have formal structures to recruit more women. Initiatives (e.g., Leading Cyber Ladies, CybHER) and conferences (e.g., The Diana Initiative) are also helping to increase the number of female cybersecurity professionals.

The good news is that these and other programs and initiatives are working. Cybersecurity Ventures predicts that women will represent 35 percent of the global cybersecurity workforce by 2031—up from 10 percent in 2013.