Loading...
Webinar
Hiring or Firing — The Next Step for AI-Augmented SOC Teams
Webinar
Hiring or Firing — The Next Step for AI-Augmented SOC Teams
Hiring or Firing — The Next Step for AI-Augmented SOC Teams
Hiring or Firing — The Next Step for AI-Augmented SOC Teams
Loading...
As the capabilities of AI rapidly approach those of a traditional security analysts, Ambuj considers the critical roles that must continue to be performed by humans to ensure the performance, effectiveness, and security of AI solutions.
There are approximately eight million people currently employed in security operations worldwide. The gap between their current skill levels and the capability of AI is narrowing rapidly. In a recent online competition, Simbian found that AI could outperform 95 percent of senior SOC analysts. Given this trajectory, it is easy to conclude that the profession is headed toward total automation and mass unemployment.
That conclusion is incomplete. While many of the entry-level and repetitive roles we see today will vanish, they will be replaced by new high-value roles that require human judgment. We are witnessing a transition from manual execution to higher-level orchestration. AI excels at processing telemetry and identifying patterns at scale, but it requires a human to provide the broader context and strategic intent. For security professionals, a winning mindset involves mastering these new skills required for this new era.
"Most people misunderstand the impact of AI on the security workforce."
There are five specific domains that I expect will remain the exclusive province of human experts for the foreseeable future, even as AI continues its rapid evolution. Not only are these domains safe from automation; they also are becoming the most critical levers for organizational success. If you align your skills with these areas, you will remain in high demand in the AI future.
AI can optimize specific security tasks. It can perform many of them simultaneously. However, AI cannot determine the order in which those tasks should be addressed based on a company's unique DNA. The selection and sequencing of AI security products is a deeply subjective exercise. It requires a human leader to weigh abstract risks against organizational goals. It also is a continuous process, as the roles and expectations of AI security must dynamically respond to the emergence of new capabilities in the technology and new requirements from the business.
Consider the divergent threat vectors between a regional credit union and a government intelligence agency. A credit union is primarily susceptible to high-volume, automated phishing attacks designed to harvest customer credentials. For this organization, the immediate priority is an AI SOC that can triage mail flows and endpoint alerts at machine speed. In contrast, a government intelligence agency faces the risk of targeted supply chain poisoning or adversarial LLM manipulation. An attacker might attempt to corrupt the training data or the retrieval context used by the agency's internal systems to leak classified data. For this organization, the sequence must prioritize AI application security and model governance before traditional SOC automation.
The human leader must also evaluate internal resource constraints. Budget is a baseline factor, but the availability of trusted human operators is the true bottleneck. If you use a Managed Detection and Response (MDR) provider struggling with high false-positive rates, your strategic move might be to force that provider to adopt an AI SOC to improve their quality. Conversely, if you are undergoing rapid development with frequent weekly releases, you might decide to bypass the SOC for now and prioritize AI Pentesting to secure your CI/CD pipeline. AI cannot make these trade-offs because it cannot perceive the long-term business roadmap.
As with any technology, AI security deployments do not happen all at one time. In addition to the sequencing of product selection and deployment is the sequencing of where the selected products will be applied. A deployment may start with one product in one business unit in one geography and then expand from there. As deployment expands, so does the requirement to integrate with the multitude of other security and IT products present in each environment. In parallel, the organization changes, businesses are sold or acquired, and the next AI tool becomes available. All of this means that deployment is a never-ending responsibility.
"AI cannot make trade-offs because it cannot perceive the long-term business roadmap."
Selecting a security vendor is an act of trust that extends far beyond a technical feature set. AI can perform a feature-by-feature comparison of two products, but it cannot evaluate the qualitative risks associated with the entity providing the code.
Different vendors offer fundamentally different philosophies. A security leader must decide if they prefer the stability and extensive support of a large platform incumbent or the bleeding-edge innovation of a startup. Startups frequently move faster and break the monopolies of large companies, but they often lack the global support infrastructure or the six nines of reliability required by major enterprises.
Furthermore, the country of origin has become a primary security metric. A human leader must decide if they are comfortable with a vendor headquartered in a region with different data privacy laws or conflicting geopolitical interests. This decision involves weighing the marketing muscle of a vendor against its actual research capabilities. Evaluating the long-term viability of a startup or the bureaucratic inertia of a platform giant will continue to be a nuanced human judgment.
Vendor selection cannot be a one-time event. AI supply chains are long, dynamic, and global. Where models originate and the data sets they are trained on matter. Vendors change strategies, their supplies, or get acquired. Rapid geopolitical changes can redefine the threat and risk landscape overnight. The security leader must constantly monitor and reassess the security of their AI security tools.
The world needs eight million Context Engineers, and you should be one of them. The role of security analyst is being replaced by the Context Engineer. One of the most powerful advantages of AI is its ability to follow personalized policies and respect department-specific data silos. However, an AI agent is a blank slate until it is provided with the correct context.
"The world needs eight million Context Engineers, and you should be one of them."
The Context Engineer is responsible for building and maintaining something like the Simbian Context Lake, a centralized repository of enterprise knowledge for security. This involves capturing both written policies and the unwritten tribal knowledge that exists within the minds of the staff. For example, a policy might state that access to production databases is restricted. However, the human team knows that access is permitted for the senior DBA during the 2 AM maintenance window only if the secondary node is offline. This level of nuance must be curated and fed into the AI agents.
Context Engineering is a lifecycle management task. The human expert must decide which contexts to pick for specific tasks, update them as the business changes, and delete or compact old contexts to prevent context drift. Managing the flow of relevant context to the LLM is the primary way to control both the cost and quality of AI decision-making. Not enough context will result in responses that do not reflect the specific details of your organization. Passing too much irrelevant data increases token costs and introduces noise that can also lead to poor outcomes.
While the traditional analyst role will fade, the demand for Context Engineers will surge, and these roles will be significantly better compensated.
Developing and deploying an AI system requires a rigorous testing framework that uses actual production data. AI cannot define its own success criteria. When you decide to personalize an LLM through fine-tuning or by building custom agentic workflows, you must create the Truth Set.
The human security expert must decide which use cases are critical and what data sets are representative of the environment. This involves selecting test data that covers relevant edge cases, establishing evaluation criteria, and building a framework to measure hallucinations or false negatives. If you are fine-tuning a model to detect lateral movement within your cloud environment, a human must verify that the training data does not contain bias that would cause the model to miss a specific type of attack.
You are effectively acting as the Head of Quality for your digital army. AI can generate a report on its performance, but you and you alone must judge if that performance accurately reflects your environment and meets the risk tolerance of your company.
A significant limitation of current AI technology is the inability to transfer learning seamlessly from one model to another. While the industry is spending billions on model improvements, the specific lessons learned while using one model do not automatically move to the next. As models leapfrog each other in capabilities, and as vendors change the underlying models in their tools, you should expect that you will move between different models.
If you fine-tune a specific model or build your security processes around its unique strengths and weaknesses, those efforts are often model-specific. If you teach your team to implement specific guardrails to mitigate the hallucinations of a particular model and then you switch to a newer or different model, you must often recreate those guardrails.
The knowledge regarding the usage, limitations, and personalities of these models must live outside the models themselves. As a security professional, you serve as the bridge between model generations. You maintain the continuity of the security posture as the underlying technology evolves. You are the repository of the institutional knowledge that makes the models effective.
The shift toward AI is not a threat to the security profession – it is an elevation of it. The manual labor of log parsing and ticket triaging is ending. In its place, we are seeing the rise of the Architect, the Context Engineer, and the Strategic Risk Manager.
Societies generally spend more on security as they become more prosperous. The importance of cybersecurity is poised to increase as AI emerges as a primary driver of new prosperity, and even more due to the rise of AI-driven attacks. The world is panicking because they see AI as a replacement for human intelligence. In reality, AI is a replacement for human labor. Intelligence, intent, and strategy will remain the exclusive domain of the human Winner. You will reap great benefits from this shift if you orient yourself accordingly.
Read the full ebook → Security for Winners: The Art of Using AI to Secure Your Company and Get Yourself Promoted
