Cybersecurity executives have long bemoaned how hard it is to hire staff, citing a dearth of talent with the necessary experience to fill roles that are notoriously high-pressure and can burn people out. But recently, some of those executives have found a solution: Instead of hiring new security professionals, they’re turning to AI to help them fill the open roles or cut back on existing staff.
Welcome back to our special report series on cybersecurity. We’ll publish this newsletter throughout the quarter to keep you up to date on how artificial intelligence is reshaping this field. The first installment is here.
Cybersecurity executives have long bemoaned how hard it is to hire staff, citing a dearth of talent with the necessary experience to fill roles that are notoriously high-pressure and can burn people out.
But recently, some of those executives have found a solution: Instead of hiring new security professionals, they’re turning to AI to help them fill the open roles or cut back on existing staff.
Software incumbents such as Microsoft, Palo Alto Networks and Cisco, as well as newer startups, are pitching tools to automate the work of entry-level cybersecurity workers.
IT executives across the business world are considering whether and how to embrace the new tools, which aren’t cheap but can still save them money by replacing other tools or human labor, however imperfectly.
Over the past year, IT infrastructure services giant Kyndryl has been using software from Palo Alto Networks that automates the repetitive grunt work associated with security operations, such as keeping track of IT systems, which includes its 70,000 employees’ laptops and phones, as well as the company’s servers and web apps. The tools also investigate activity that looks suspicious, such as when people log in from new locations or screenshot sensitive data, according to Scott Owenby, who oversees the firm’s internal cybersecurity.
The software relies on newfangled AI from other providers to scan large amounts of text, such as employee emails, and generate summaries of security incidents. The tools also use Palo Alto Networks’ own AI models to analyze security data for possible breaches and automatically take actions to prevent them from spreading. (The company wouldn’t disclose which third-party AI models it uses.)
For instance, if the software detects evidence of malware on an employee’s laptop, it will isolate the laptop by cutting it off from the internet and from Kyndryl’s other systems until a human IT staffer can investigate the issue. In other cases, the tool may scan the employee’s laptop, determine that no malware was downloaded and automatically close the ticket.
The software has been so effective that the number of incidents human security analysts have to respond to has fallen 90% to 400 per day over the past year, Owenby said.
“We’re starting to trust [the AI] to handle these tasks like scans and device isolation,” Owenby said. “And when we do need a human, it cuts down the amount of time a human would need to spend on incidents like that from hours to minutes.”
Staff Cuts
As a result, Kyndryl has cut its team of analysts who respond to possible breaches from 80 people to fewer than 40 over the past year, Owenby said. Most of those cuts impacted entry-level analysts who would have handled grunt work, while more senior analysts tasked with investigating larger incidents remained.
The AI runs around the clock and isn’t cheap: Owenby estimates Kyndryl, which has a market capitalization of $7 billion, spent around $600,000 on the product last year. But he noted that the company gets discounts by bundling it with other Palo Alto Networks products. Still, he said the savings Kyndryl got from the job cuts far exceeded the cost of the software.
“If you’re a company with a 10-man [security operations center], you’re going to pay more for the product than you’ll get in savings, but for larger organizations, it starts to pay off,” he said.
It’s been good for Palo Alto Networks, too. Chief Financial Officer Dipak Golechha told investors earlier this month that the company’s AI products are on pace to generate $545 million in annual recurring revenue from subscriptions in the coming year, up 150% from a year prior, Golechha said. That appears to have helped the company accelerate its overall revenue growth in recent quarters.
Other security executives say they’re using AI tools to speed up the work of existing employees, even if they aren’t yet replacing or cutting staff. Consulting firm KPMG has been using AI to speed up audits it conducts to make sure clients are complying with federal cybersecurity rules, said Christian Kon, a director at the firm.
KPMG has been using software from Zania, a two-year-old startup founded by former Microsoft security executive Shruti Gupta. Zania engineers worked with Kon’s team to build an AI agent powered by a mix of open-source AI models and foundation models from firms like OpenAI, which was trained on data KPMG has compiled on cybersecurity and data privacy laws around the globe.
KPMG’s consultants feed customers’ documents, such as their contracts with other software firms, into the agent, which automatically audits them for compliance and generates a report suggesting new written policies that would close compliance gaps.
The tool has shortened the amount of time KPMG spends on such audits by around 30%, Kon said, allowing it to offer more competitive prices to its clients. Kon declined to clarify how much KPMG spends on the software but said it’s less than the cost for a single human working on an audit for three months, which is roughly how long it would have taken before the firm started using the tool.
“For us, it’s less about making more money on each assessment, but rather about saving our clients’ money to do more of these,” Kon said.
Pipeline Pressure
As AI takes on more low-level work in cybersecurity and compliance, there’s a risk that companies will have fewer people on staff capable of moving up to senior roles.
AI is lowering demand for entry-level jobs across tech, including cybersecurity, according to Zanele Munyikwa, an economist at labor analytics firm Revelio Labs, which tracks job openings from positions on LinkedIn and other online sources.
And cybersecurity executives say the advent of AI tools is already creating new costs because firms need to train cybersecurity employees on how to use them.
“The workforce training component is a bit scarier—you don’t just pivot people from a traditional [security procedure] to a machine now doing that for you overnight. That’s a hard transition,” Kyndryl’s Owenby said.
In the meantime, Owenby’s team has been experimenting with using AI tools to quickly answer employees’ questions about cybersecurity, and he said chatbots like ChatGPT have shown early promise.
