Does everyone in cybersecurity need to be an AI expert?

Since AI hit the mainstream consciousness, one of the questions has been “Should I be learning about this shiny new thing, or is it just a hype wave that is going to pass?” After all, it’s natural that if you’re worried that AI is coming for your job—like 70% of all tech professionals are—then you’re also going to be thinking you should learn about it to have job security.

But there’s a nuance that’s lost in these conversations. Namely, how much about AI do you actually need to learn to do your job, particularly in cybersecurity?

Everyone in cybersecurity should know the AI basics

If you don’t, then you can’t do your job as a cybersecurity professional. Why? AI is going to touch everything that we do in cybersecurity, and is going to continue to do so. Also, it’s simply good practice to learn about what you’re potentially protecting, how it can be attacked, and the tools that attackers and threat groups will be using.

Here are some examples of things you should know about:

• The basic concepts of AI: What LLMs, generative AI, and machine learning are, how they are different, and what each is good for. How data is used to train AI, and what AI means when it talks about “tokens,” etc.

• Where risks exist in typical business use of AI, particularly leakage of corporate IP and personal data

• How AI can be used in cybersecurity defense: Threat detection, anomaly detection, behavioral analytics, automation, etc.

• How attackers may use AI: Fakes and deepfakes, detection avoidance, and automated intrusion

• How AI can be a threat: Adversarial AI, AI-powered attacks, evasion techniques, etc.

• AI security best practices at a high level

• Regulations and ethical considerations

Having deep AI knowledge is not required in most roles

You don’t need to be an expert in securing LLMs and AI as a cybersecurity professional, because in most cases other people will be doing that. These are things like:

• Mathematical foundations like advanced linear algebra, backpropagation, or optimization techniques

• Neural network architectures

• The actual methods for training models on large data sets

• How GANs are built and trained

• How to handle and clean data

Most professionals only need a practical, high-level understanding of AI, and this would all be beyond what’s needed.

It’s still a great time to learn about AI, but only if you want to

If AI really excites you, and you relish the idea of delving into everything I mentioned above and more, I’d jump in feet first. It’s a very exciting place to be at the moment, and more knowledge is never a bad thing.

An AI assistant can speed up your day to day

It’s worth experimenting with an AI assistant to save time and get familiar. An AI can help draft all sorts of documents, such as policies and great emails to explain things. There’s some AI in GRC tools that can help match third-party supplier policies to your information security requirements. 

AI is also great at taking something you’ve written and re-writing it for a specific audience, which we can all benefit from. It’s also good to see the ways your colleagues are using AI so you’ve a better grasp of the system when you’re discussing the risks and how you’re going to manage them.

Conclusion: Everyone should know about AI, but don’t fret if you’re no expert

AI has been used in cybersecurity for a long time, and most people don’t know the inner workings of an Endpoint Detection and Response (EDR) tool, or a phishing detection tool. Just knowing the high-level details is often enough.

If you’re interested in learning more about the basics of AI, check out Pluralsight’s Artificial Intelligence: Foundations or Generative AI for Security Professionals learning paths. And if you’re looking for a book to read, Not with a Bug, But with a Sticker: Attacks on Machine Learning Systems and What To Do About Them by Ram Shankar Siva Kumar and Hyrum Anderson is one of the best to start with.