[0:00]Last week, Claude AI agent discovered 22 vulnerabilities in Firefox browser without any human involvement. A fellow YouTuber covered it in a video titled Cyber security is about to get weird. And what's really weird is that last week, a friend of mine, who's an AI threat intelligent expert in one of the biggest companies in the world, told me in a podcast episode that AI can pretty much do malware reverse engineering so much better than any human. So the question is, is cyber security cooked? Now, the reality is, some cyber security specializations are at the risk of being replaced by AI, whereas others are simply safe from being impacted by AI. Now, in this video, I'm going to go over every cyber security specialization, and I'm going to show you exactly which cyber security specializations are going to be replaced by AI and which ones are safe. Knowing which ones are safe can be the difference between having a long-term career in cyber security or spending two years studying for a cyber security specialization that may no longer exist in two years time. So pay attention and at the end, I will answer the only question that matters, which is what can you do to protect your cyber security job against AI? Starting with the specialization that's making the most noise in the news, application security or software security. Now, here I'm grouping a number of roles. So when we say application security, we mean the engineers and the software security developers who find vulnerabilities in software code. That could be via malware reverse engineering or secure code reviews, or even exploit development, all of these roles, when it comes to AI, as evidenced by the news and from what I've seen in the industry, they are probably the ones at the most risk of being replaced by AI. Now, this doesn't mean that individuals who work in this field now will have no jobs. What I'm saying here is that this job will 100% evolve, where AI is doing a lot of that work for you. So if you're a senior application security engineer or you're a malware reverse engineer, you should pay attention to what AI is doing and you should look into perhaps expanding your skills and including AI in your workflow. However, if you're a student or you're someone who's trying to land your first cyber security job coming in from a different field, I'd say don't start your cyber security career with something like Apsec or malware reverse engineering. Simply because there won't be a lot of those roles around for you. So you need to make smarter decisions and based those decisions on real world data instead of passion and desire. Now, speaking of passion, the next specialization is one that most of us are passionate about. In fact, the vast majority of cyber security professionals got into cyber security to become ethical hackers. So specialization number two is ethical hacking. Now, ethical hacking or penetration testing is a very interesting one when it comes to AI, because what's happening at the moment is if you look at the entire process of performing a penetration test, starting with something like reconnaissance and social engineering all the way to exploit development and even report writing, all of those steps are currently being enhanced by AI. So AI can reduce the time needed to perform reconnaissance or search for vulnerabilities and exploit these vulnerabilities and even help you with writing the report. Now, what does this mean? It doesn't mean that AI will completely replace ethical hackers, however, it should take an experienced penetration tester a lot less time to perform the same job if they did it without AI. Now, I'm saying all of this while keeping in mind that again, a friend of mine, in Black hat Asia, started a penetration test using an AI agent. He delivered his talk and at the end of his talk, his AI agent was done with the penetration test. So there are currently experienced ethical hackers who have AI agents that can do that, but that's not everyone and that's not the entire industry. Now, what does this mean for individuals who already work as penetration testers? It means that you need to be careful, you need to work on broadening your skills. So don't just be the ethical hacker, try to learn other areas of the business, but more importantly, try to learn AI agents and be the person who knows how to use these agents. Now, the question is, again, if you're someone who wants to work in cyber security, you've never worked in cyber security and you've always wanted to be a hacker. I'm going to tell you first, you're not alone, that was me as well, I was obsessed with ethical hacking, I think most of us who want to do cyber security, we have this love and respect for ethical hacking and penetration testing. Now, if you want to be strategic about your cyber security career even before AI, there wasn't a lot of dedicated penetration testing roles around. So betting your entire career on just penetration testing wasn't really a smart choice, however, with AI, it's even less smart to do so. Now, this doesn't mean don't learn ethical hacking. In fact, I think it's a good idea for any cyber security professional to learn a little bit of ethical hacking because it will make you a much better cyber security professional. What I'm trying to say is if you're passionate about ethical hacking, don't start with ethical hacking. Learn other cyber security specializations, build your skills, land a cyber security job, then you can spend the rest of your life learning penetration testing on the side and maybe you get to do it on a job as well. Now, speaking of skills in demand and what you should start your cyber security with, the next specialization is the one where you will see the most cyber security job advertised, which is specialization number three, SOC analyst or defensive security. Ironically enough, when it comes to AI, people assume that SOC analyst will be the first cyber security job replaced by AI. Now, this concern seemed to come from individuals who have never worked in cyber security because they assume that the SOC analyst job is just looking at alerts and doing extremely basic work, and therefore, they think that's all. If the work is basic, then AI must be able to do it. Now, this also assumes that AI is stupid and can only do stupid things, however, as I said earlier in the video, AI can actually read code and find vulnerabilities. And therefore, this whole idea is wrong, but more importantly, it's wrong because the SOC analyst job or defensive security job is an extremely varied job. In the real world, SOC analysts and blue teams are not just sitting there and watching alerts. In fact, they tend to be the busiest cyber security professionals. I work in consulting and I talk to so many organizations and I try to help them uplift their cyber security posture. And I always find problems in detection and response, which is the domain of the SOC analyst. There simply are not enough people to do the work that organizations need to do. And therefore, if AI is able to enhance some of those roles, this will give SOC analysts more time to be able to perform the work. Now, is AI going to influence the SOC analyst job? Absolutely. So if we simplify the SOC analyst job, it's basically to be able to detect, analyze, and respond to cyber attacks. As it stands, AI can help with all of those three steps in the way that it can actually improve those tools. So detection should become better, analysis should be faster, and even response in an ideal world should be faster. However, we don't live in a perfect world. The world we live in, hackers are also using AI.
[6:48]Remember when we talked about ethical hacking, we said that the entire process of ethical hacking is now faster because AI can do a lot of those tasks. And therefore, hackers and criminal groups are also using AI, and as a result, we actually are seeing so many more cyber attacks against organizations because AI is being leveraged. And therefore, blue teams and SOC analysts are even busier. Not only that, but because the task of protecting an organization and being a defensive security professional is so complicated, you actually need to understand so many areas of the business, which means you need context, and that is something that AI simply can't do. So, if you're currently a SOC analyst, I'd say continue on your learning path, explore other areas and improve your skills and definitely learn AI. However, if you are a student or you want to land your first cyber security job, then acquire blue teaming skills. This will be your entry point into cyber security, you will learn a lot and there will be opportunities in the future. And speaking of opportunities, area number four is one that has seen exponential growth in the last few years and it's not slowing down, which is GRC, stands for governance, risk and compliance. Now, GRC for those of you who don't know what a GRC professional does, it's simply a group of roles where the main objective is to conduct risk assessments and help organizations with compliance and even strategy and management. And as a result, GRC jobs require the most human interaction. And therefore, it's probably the most resilient to AI. Now, that doesn't mean AI is not going to influence GRC. AI will definitely influence GRC, but it's not what most people think. Now, in my job as a cyber security consultant with GRC, I can tell you that AI currently helped me with things like summarizing some documents, analyzing some policies, and it can even help me with certain aspects of report writing. But it cannot replace the need for an experienced GRC professional or even a junior GRC professional. There are legal obligations where you need an auditor or you need a cyber risk analyst to inspect the evidence. I cannot just throw it at an AI, because the job of GRC is to provide assurance to the business. Now, a bonus thing that came from AI is that as a GRC professional, I'm infinitely more busy because every organization that I work with decided to implement AI in some way or shape, and they all ask me to help them with governance and risk when it comes to AI. So it actually created more jobs for me. And therefore, if you're currently a cyber security professional in any specialization, I highly recommend you upskill yourself in GRC. This is the skill that will save you in the age of AI, and it will also help you to progress to more senior roles because you'll be able to speak the language of the business, and you'll be able to bring teams together. And if you're someone who's just starting their cyber security career, then GRC skills again is a no-brainer. It is something that will help you land your first cyber security job, because there is so much demand, and as you may have guessed, there aren't that many professionals with GRC skills because everyone is chasing penetration testing and ethical hacking and Appsec, so it is an underserved area. And if you want a step-by-step guide on how to land your first GRC job, then please check out my GRC roadmap right there, as I break it in a really clear, easy-to-follow manner. Now, while we're on the topic of high demand roles, the next one is also a really high growth area in cyber security, which is area number five, identity and access management, short for IAM. Now, the problem with identity and access management is that it is really too broad. So identity and access management really is about managing access to resources. So we want to make sure that users have the right access to the right applications, but also we want to make sure that applications also have the right access to resources and data. Now, to accomplish that, you need a group of roles, so it's not just one job. And traditionally, a lot of IAM jobs are simply IT jobs, they are not really cyber security jobs, but there is a lot of crossover. For example, if your data is in the cloud, which is most companies, then you'll find the cloud security engineer performing IAM tasks, or if you're doing an audit on an application, then GRC professionals can perform those tasks. Now, when it comes to AI, because IAM relies on so many tools, AI will simply enhance those tools, it might give you good insight. It will definitely save time when it comes to auditing a large number of users or access to certain applications. So we will definitely need less IAM professionals, however, due to the complexity of IAM and the fact that so many organizations have different teams and different tools, there will always be a need for IAM professionals. So it really is a great skill to have if you are an established cyber professional or if you are a student. Now, the trick with IAM is that it relies a lot on enterprise grade tools. So training isn't really accessible, however, if you learn things like cloud security or GRC, there is a lot of crossover. So following my GRC roadmap, for example, you will come with a lot of IAM skills. Now, the next area is one that a lot of young people are extremely passionate about, which is security engineer. Now, when I say security engineer, this also includes things like network security or cloud security, anything under the umbrella of engineer. Now, the funny thing about security engineer is that a lot of young people are attracted to this role without even knowing what it entails. Sometimes they are attracted to the title due to cultural reasons, but also people think it's cool. Now, to simplify what a security engineer role is supposed to be, think of cyber security broadly as detecting and analyzing and responding to cyber attacks and having good governance around all of this. Now, to do that, we need infrastructure, we need applications, we need servers. So the job of the security engineer is to install those applications, to configure those applications, is the ongoing support for those applications, that is the security engineer. Now, those applications can be firewall or Amazon AWS cloud or a password manager or any IAM tool. So all of those roles are a security engineer role. Now, the issue with security engineer role is that a lot of these jobs again are not really cyber security jobs, they are IT jobs. They are fantastic IT jobs, but they really exist to support cyber professionals that perform the protection of organizations. Now, when it comes to AI, like I said, the tools will continue to improve, and therefore, we may need less people, but for the most part, a lot of security engineer roles will probably be okay, especially in the area of cloud security. So if you want the highest growth area under the security engineer umbrella, then cloud security is where you need to spend your time. Now, due to the broad range of security engineer roles, like I said, a lot of roles aren't really good. About 10 years ago, if you look at my LinkedIn profile, I was working at a National Australia Bank in the security team and I had friends, really good friends, who were security engineers, but they specialized in one type of firewall. Now, even back then, they were telling me that they were struggling to find other jobs because other banks didn't use that particular firewall. And this is a classic problem with security engineers roles. You could spend 10, even 20 years dealing with one type of technology. This is extremely dangerous because technology could become outdated, new things will come on. So if you only know one type of technology, then it's not AI that will take your job, it's your laziness and complacency. And therefore, I'd say be extremely careful not to be a one technology person. I've seen this so many times in the past, even before AI, that was always a problem, and those are exactly the people who comment on my videos saying that they have 10 or 20 years of experience and they're struggling to find jobs, and when I look at their resumes, all I see is some nonsense company and experience with one or two tools. This is not 10 years of experience, this is simply one month of experience repeated over 20 years. So be very strategic with your learning and remember to diversify and broaden your skills. Now, one more thing about security engineer, some roles will have the title of engineer, but they will simply be automation specialists. For example, you could work in a security operation center, but your job could be just writing Python scripts to automate certain tasks, or you could be a GRC engineer or someone in a GRC team that just writes scripts. Those roles are in extreme danger of being replaced by AI because writing basic skills is something that AI can do really easy, and it was never an in-demand skill. So be careful not to become an automation specialist because this is something that we can already replace, which brings me to the most important question of this video. What can you do to protect your cyber security job from AI? And this goes both for highly experienced individuals who already work in cyber security, and also students and individuals from other fields who want to work in cyber security. My honest answer is you need to be extremely adaptable. So if you're currently perform just one job, or if you're hyper-attached to one specialty, be it ethical hacking or sock or anything, and you need to start to seriously consider adding various skills. At minimum, you should be really good at defensive security, GRC and cloud security. Those three areas combined will safeguard you against any change in the cyber security field, including AI. This will simply increase the number of jobs that you can qualify for. It will also make you a lot more useful to your team and your colleagues, which will enable you to do a better job and even get promoted. Now, the second important thing that applies to more experienced individuals, which is if you find yourself in a cyber security job, then you need to seriously consider learning AI. Get really good at things like Cloud code and Open Claw and start creating your own agents and get really good at adding skills to those agents. Now, remember, I said this is important for experienced individuals. If you're someone who's just trying to land your first cyber security job, then sorry, but your priority is learning cyber security. You can learn AI later or you can add it to your workflow after you've mastered cyber security. Now, just a caveat when it comes to learning AI, please don't waste any time or money on any certificate that has the word AI in it, and that goes for the ComTias and ISAC and all of that nonsense. This will not teach you anything, you need to actually spend time playing with Claude code and creating your own agents and experiment. This is still a new and growing area, so you need to figure it out on your own. Now, if you've been hyper-specialized or you're a student and you don't know where to start, then I highly, highly recommend you follow this video because it has the step-by-step road map that will make you a generalist cyber security professional. It will ensure that you have GRC, SOC analyst and cloud skills, which as I said, will be the plan that ensure that you have a long-term career in cyber security in the age of AI. Check it out and I'll see you there.
