The shortage of IT specialists is great, and the shortage of security specialists in the IT world is even greater. Can AI help? ITdaily sits down at a round table with some experts.

There are not enough IT specialists and that in itself is a problem. Furthermore, anyone who knows IT is not necessarily capable of being a good IT security specialist. With the introduction of NIS2, this is an even bigger problem. ITdaily gathered several security experts around the table to discuss the sense, nonsense and challenges of NIS2. When it comes to the talent shortage, Ron Nath Mukherjee, cyber security consultant at Eset, asks a pressing question: “Can AI help?”

Yes but

The consensus is cautiously positive. We hear one Yesimmediately followed by an expanded one But. “Maybe,” thinks Thomas Hayen, Red Team Operator at Easi. “A lot of progress has been made in the last few months.” For him, AI is a useful tool that can at least make security more accessible. “Even ChatGPT can make concepts like Active Directory more understandable. You can have difficult concepts explained to you like a ten-year-old, and the AI ​​does that, supplemented with metaphors.”

“New generative AI helps people get started with low-level security fairly quickly. If you know little, you can simply ask questions. How does the Kerberos authentication mechanism work? You will receive a reply immediately. Or you can ask for code snippets to be translated. These will come from somewhere in the dataset the AI ​​was trained on, but at least you have a starting point.”

Not without people

The data sets used to train AI pose a challenge. “How good are they?” asks Bart Van Vugt, senior cyber security advisor at Uptime Security. “They will probably get better and better in the coming years. AI can provide guidance, but not confirmation. I see this in companies too. They believe in solutions that are AI-driven, but believing in them 100 percent is not an issue today.”

Furthermore, AI will not suddenly completely replace human knowledge. Hayen: “You still have to know what to ask.” Without an approach to knowledge or an idea of ​​what needs to be done, the added value of AI will therefore remain limited.

We are gradually reaching the peak of the AI ​​hype wave.

Ron Nath Mukherjee, cyber security consultant Eset

Mukherjee agrees with this view that AI is a tool and not a panacea. “We are gradually reaching the peak of the AI ​​hype wave,” he says. “AI is a tool. I use it too, but what is the concrete evolution of technology towards detection and response in cybersecurity? AI has played a role there for many years, but is really just machine learning on data sets.”

Turning back

The consensus is that AI can be a useful tool for (aspiring) security professionals in the short term, but not a replacement. Unfortunately, the other side also sees a benefit in AI. After all, cybercriminals might as well ask questions. “And today you don’t need much knowledge to hack,” says Mukherjee. AI can just as easily help criminals write useful phishing emails and develop scripts.

That’s not the end of it. “With AI you can make deepfakes of people, with voice and everything,” says Hayen. This won’t exactly reduce the phishing problem.

So it seems that at least some of the benefits that AI can bring are, on the other hand, being negated by AI-driven malware campaigns. Still, more and better AI trained on better data sets will help security professionals. However, the skilled workers themselves do not have to fear for their jobs, on the contrary. AI can help them or show the right way to develop talent, but the real decisions remain in human hands for now.