The Trend du Jour Never Dies—It Just Gets Rebranded with AI

Like many, I remember the Dotcom boom fondly.  I was working in the technology sector after my military career ended in early retirement.  It was exciting to turn on the Super Bowl and see the seemingly limitless advertising dollars being thrown at the tech sector. I could sit on the couch, point at the commercials, and explain to my wife what each company did and how they were growing revenue.

In a couple of years, many of the advertisements were about creating your own website.  Vendors like GoDaddy created racy television commercials to generate media buzz while everyone was lining up to establish their own Web presence. Next was the great cybersecurity wave, starting with the virus scares of the 1990s and early 2000s. I was working for security powerhouse Symantec at the time and remember being the guy all my relatives called every holiday season for advice on protecting their credit card information online.

This trend lasted for nearly a decade.  Then, in 2012, GoDaddy introduced the first “cloud IT” advertisement during the Super Bowl XLVI halftime show. For several years thereafter, cloud IT was the trend to watch. Then, suddenly, it all just disappeared.  Now we are being bombarded by AI advertisements, along with numerous warnings and cautions about how this latest IT trend is going to affect not only how we compute and manage data, but also how it will influence our workforce through robotics and automation.

AI and the Big New World

In the security profession, the rise of AI shouldn’t surprise anyone: we’ve been headed down that road for two decades. A career that once began as data/computer security evolved to embrace the trendier cybersecurity moniker. It was once a career that required a detailed understanding of specific technical vulnerabilities that could be mitigated through the encoding and deployment of countermeasures. But it simply outgrew the small closet it once occupied. As the number of vulnerabilities skyrocketed, vendors and start-ups rushed to offer comprehensive sets of countermeasures that companies would happily pay for, rather than investing in them piecemeal.

Organizations such as the National Institute of Standards and Technology and the Center for Internet Security have spent years publishing guidelines and standards that have struggled to keep pace with the rapid development of new technology.  Ultimately, companies seeking to protect their digital assets demanded out-of-the-box solutions, which the next generation of start-ups aimed to deliver.  Cybersecurity jobs became focused on compliance with standards and guidance, utilizing large Excel spreadsheets and even specialized software applications to identify and track vulnerabilities. The more inclusive solution providers could then gather and deploy countermeasures to mitigate them at speed.

As cybersecurity evolved, companies hired teams from Big Four accounting firms and highly specialized groups from dedicated security firms to assess their security posture and make recommendations. To meet the incredible demand, these consultancies had to quickly train a growing number of their employees on how to perform this complex service. There were not enough highly skilled cybersecurity professionals who could do this.  Enter the security report template. Over twenty years ago, these firms found they could best use their experienced staff to develop the initial reports and then dispatch inexperienced associates to client sites with the templates and ask them to fill in the blanks.

This process started as simple cut-and-paste efforts based on previously performed audits and security reviews. But consulting partners quickly realized EVERY company had some subset of about 25 major security problems.  They just needed to gather and document a description of these problems along with recommendations to mitigate the security vulnerabilities. Now, they only needed to train an associate to go on-site at a client and identify which problems existed there and then return to the office to create a customized report by popping in the client’s name along with the standardized template created a year or two ago by the wizard employees.

This actually worked to address most companies’ needs, as many (if not most) of these reports were conducted to meet an audit requirement or a federal corporate regulation. Instead of serving as a critical roadmap for an enhanced security posture, these security reports became dusty shelf fodder that merely met the requirements of an auditor or federal agency for a security review.

As AI enters our profession, it will initially be implemented as a more automated version of these template reports. Vendors will develop AI tools to perform all these functions quickly and efficiently through automation.  They will crawl a company’s network, diagnose the vulnerabilities, then document and even deploy mitigation capabilities.  So that begs the question: what is the cybersecurity profession going to become and is there a certification for that?