Syda Productions - stock.adobe.c
In an AI-first world, the future of cyber security is its workforce
The cyber security industry will experience immense change due to AI by 2030, so both employers and professionals need to grasp the nettle, and quickly, if they are to have the right skills and experience in place to succeed
The future of cyber security will not only be largely unrecognisable when compared with today, believes David Foote, chief analyst and research partner at Foote Partners LLC, it will also be “messy” and “unpredictable” as AI steadily reshapes the world.
The current focus of the profession is mainly on dealing with managed services, cloud workloads, end points and identities. But during a presentation at the ISC2 Security Congress 2025 in Nashville, Tennessee at the end of October, Foote said that is all about to change.
By 2030, nearly every business system, from finance to building controls, will include some form of embedded AI agent that makes decisions. These decisions will include moving money around and negotiating with suppliers. The upshot is that cyber security professionals will be defending everything from smart factories and robots to implantable medical, brain/computer interfaces.
“Imagine a world where biology and technology have come together and you’re trying to defend that,” Foote said. “It’s a very different world.”
Other systems requiring new means of protection will include both human-aware and neuromorphic devices. Neuromorphic chips, which mimic the neural systems found in the human brain, are currently being developed by suppliers, such as IBM and Intel. Systems based on such technology will not only be faster than existing computers, they will also be more effective at handling unstructured data.
The threats will come from everywhere
Important emerging technologies in the cyber security space itself, meanwhile, include autonomous security, and quantum encryption. Foote expects quantum computers to appear in as little as five to eight years, which he said will render existing encryption technology useless.
“Cyber security is becoming predictive, not reactive, and zero-trust is becoming table stakes – that’s the norm,” Foote said. “You’ll be securing autonomous systems and actors that function independently outside of your control.”
This means that “the threats will be coming from everywhere, not just the perimeter, as there is no perimeter security – the idea of the perimeter is gone”, he added. As a result, the role of cyber security professionals will move from being one of “protector” to advising the company on risk and ensuring everyone participates in managing those risks.
Another upshot is that the notion of identity will become more important than ever. “It’ll be identity first; identity everything,” Foote said. “Identity will become so much more dangerous than it is right now if you don’t have properly secured systems.”
The necessity of embracing change
But while the implications of dealing with such a future may feel scary, Foote believes that if cyber security professionals are willing to embrace the coming change, he “can’t think of a better future-proofed career with more opportunities”.
These opportunities will arise from the fact that “there’ll be more cyber attacks with higher costs, huge demand for talent, plenty of room for growth and opportunities to work with constantly evolving technology, an ability to work anywhere in the world, become self-employed, and it pays pretty well. It’s not something I see very often in the universe of IT jobs,” he said.
In terms of workforce shortages, for example, ISC2 estimates there is already a global shortfall of around 4.8 million professionals today. To make matters worse, the World Economic Forum indicates that only 14% of employers are confident they have the necessary talent to meet their cyber security objectives.
Key expertise here that is already in demand today, but will be even more so moving forward, is soft skills. As AI undertakes growing amounts of the knowledge work currently performed by practitioners, those who can communicate effectively and collaborate with the business will be valued particularly highly.
“In future, you’ll be working with machines, but you’ll also be collaborating much more with people you’ve never worked with before, with domains of companies you’ve never worked with before,” Foote said. “So, your ability to work in teams and perform well in teams, to change, learn, unlearn, relearn, fail, switch gears – it’ll be extremely important.”
These skills, which include creative thinking, leadership and social influence, resilience, flexibility and agility, will also become increasingly vital “as we move into the innovation economy”, he believes. This is because they will be crucial in helping companies to “stay alive”.
“In 2030, companies will be wondering if they can still stay in business after having gone through a breach that’s so bad their backup systems are gone, and they can’t even restore,” Foote warned. “It sounds frightening, but you’re going to have to be in a position to defend those things, which requires you to up your game.”
Demand for versatilists with business nous
However, he does not recommend doing this by getting more certifications or recertifying as “it won’t help”. Instead, the secret is to develop more business rather than technical nous.
“You’ll need to go to more business conferences, or even HR conferences, to understand more of what the business wants from you and how deeply you’re going to be involved in decision-making processes that you’ve never been involved with before if security is the prevailing factor over whether a company lives or dies,” Foote said.
Another growing shift among employers is their rising interest in so-called “versatilists” rather than generalist or specialist practitioners – with demand only likely to increase over the coming years. Versatilists have deep technical skills in one or two specific areas, but also have cross-domain literacy and an understanding of business context.
“Companies want someone with intelligence, incident response, AI security, identity, industrial control systems – they want that in one person, and they also want them with broad domain knowledge, so they can work all over the company and not just in one spot,” Foote added.
Interestingly though, he said, between now and 2030, employers will become less interested in the “smartest technologist in the room”. Instead, the focus will be more on finding professionals who can “translate between machines, risks and regulations…and business objectives, while keeping your team healthy and effective”.
The key point here, Foote said, is that “the work becomes more human as the tools become more automated”. This more human work includes understanding the risks, implications and ethics of AI.
Dealing with change at the top
Another shift at the top level of the cyber security echelons, meanwhile, is the emergence of the office of the chief information security officer (CISO). Coming in the wake of high burnout levels among former CISOs who have since left the profession, the office consists of two complementary leaders. Each can demonstrate expertise and strengths that are often difficult to find in a single individual.
The first is a technical professional who manages and supports the cyber security team. The second is more business-oriented, often a former internal consultant, who focuses on strategy and interacts with senior executives and stakeholders.
A similar, related move that Deidre Diamond, founder and CEO of recruitment consultancy CyberSN, has seen over the lpst few years is the creation of security director roles. “In the past, there were just CISOs and engineers or analysts but nothing in between,” she said. “No leads, no directors of security, so that suggests investment.”
Many of these security directors focus on strategy and, in some quarters, are being referred to as “chiefs of staff” for the first time. Usually coming from a governance, risk and compliance or architecture background, Diamond believes the role will be increasingly “critical to really staying on top of cyber capabilities and the rate at which change is happening”.
“They’re responsible not just for taking strategy and ensuring they hit it, but also showing where the gaps are in that strategy, where the cyber capabilities are, and staying on top of it every time there’s a move or change. It’s a lot of work,” she said.
Success equals a well-trained and motivated workforce
Lower down the ladder, Diamond pointed to the fall in the number of new entrants that employers have been hiring over recent years – something she described as a “problem for us all as these are our future people”.
For instance, the number of organisations taking on interns has dropped over the past three years. But this is not due to a dearth of willing candidates, iIt is instead because of a lack of people and time to train them in-house “unless they’re Fortune 250 or above”, she explained.
“This is still a problem on our plate and it hasn’t gone away,” Diamond said. “If anything, it’s gotten worse because, for the first time in the last 18 months, we’ve started outsourcing cyber security to other countries, and quite a lot of it, which means we’re training people over there and it’s causing us to have fewer skilled professionals here.”
To make matters worse, there is also a significant shortage of very skilled engineers or architects as it takes between five and eight years for professionals to get to that point.
“That’s a long time. So, the skills shortage does exist and it’s a training problem for sure,” Diamond said. “Even for firms that have the money for training and budgets, there’s just not time for people to take it.”
But Foote believes that, ready or not, change will simply have to take place, which means cyber security professionals need to be prepared. In his view, they have around 12 months before organisations become clearer about what it is they want and need in AI terms to obtain a return on investment, develop appropriate business plans to get there, and staff up accordingly.
The secret to success in this new world will not just be about defending systems though, he pointed out. It will be about building secure ecosystems, ethical AI policies, and a resilient culture that, most importantly of all, is based on a well-trained and motivated workforce.
Read more about cyber careers
- Cyber ‘agony aunts’ Amelia Hewitt and Rebecca Taylor are launching a book aimed at empowering women in their cyber security careers.
- ISACA accredited security professionals can now pursue a new AI security management credential.
- At a time when cyber security breaches are on the up and skills remain in short supply, security experts believe we may be missing a trick by overlooking unconventional sources of talent.
