The Loneliest Profession

The Loneliest Profession
Add for "Gargoyle" gear a'la Stephenson's Snow Crash

An imagined future...

I am a Cybersecurity Capabilities Manager. What’s that? Well, the “cybersecurity” part should be self-evident. “Capabilities” is code for the AI that does all the actual work. “Manager” is code for “guy who creates prompts, tunes bots, and talks to customers if they ask to talk to a human.”

Next year, on the first of August, it will be my 25th year in this role. I had been a senior security engineer, building security tools and generally cleaning up the messes made by programmers, engineers, and executives who in a previous generation made very sound technical or business decisions, but neglected to consider the security implications of those decisions. A common enough occurrence in those days, but not so much anymore.

In these past 25 years I have sat down in the same room with another security practitioner twice. Once by accident, as I ran into a buddy I had been on active duty with in the airport, and we passed two hours in the airline club lounge bitching about our respective managers, telling work-related “war stories,” rehashing actual war stories.

The other time was at an ill-fated attempt by the company to have an off-site, which meant getting everyone out of their home offices and into a common physical space for a good old fashioned pep talk by management, to hear some lessons learned by colleagues, eat mediocre hotel food and drown our sorrows in domestic lite beer. I say “ill-fated” because everyone refused to show up, and at the last-minute leadership bailed as well. Some claimed illness, others various unspecified “conflicts.” Tammy and I were the only ones who didn’t get the memo, so we talked shop for a bit, ate too many machine-made croissants washed down with acidic low-grade coffee, and then attended the rest of the event – which ended up being delivered via video conference – from our respective hotel rooms.

It wasn’t always this way.

This used to be a thriving ecosystem of responders, reverse engineers, forensics examiners, incident handlers, vulnerability researchers, and analysts. A market of products and services worth $180 billion dollars.

Then came AI.

At first large language models, and soon after more advanced “intelligence.”

While everyone else was writing op-eds, posting on social media, and trying to get their derivative bullshit slide deck selected for RSA or Black Hat, three visionaries (ahem) decided to go all-in on AI. They became what are known today as the big three: McCutchen, BlueSky, and Steve.

McCutchen was already the closest thing to a household name in and outside of the security industry. If there was a major incident, McCutchen was there, fighting evil and making bank. They did good work. They deserved it.

BlueSky wasn’t a household name, but they were one of the most respected outfits in the industry by insiders. The experts that experts went to when they couldn’t figure something out. The nerdiest of nerds with more street cred than could be spent in a lifetime.

And of course there was Steve, who worked like a fiend – and leveraged LLMs – to become a one man wrecking ball in record time. Others tried to do the same thing at the same time, but Steve was always a step ahead – and hopped up on speed so the rumors went – to the point that his lead was insurmountable. First to market with the right features at the right price. Hard to go wrong.

Each of the big three had assembled the largest and most comprehensive LLMs based on cybersecurity content available. BlueSky and McCutchen were both larger than Steve’s because they could add terabytes of incident data from years of engagements, but then Steve wasn’t aiming for the same space in the market that they were.

All three of them launched on the same day at Black Hat in Las Vegas.

All three of them destroyed the cybersecurity industry.

Before it all fell apart, there were roughly three million people working in various cybersecurity roles around the world. There were supposedly tens of thousands of open positions, which didn’t jibe with the significant number of people who were struggling to find jobs. Some blamed broken recruiting practices, others the unrealistic requirements of employers who wanted to hire a handful of unicorns, pay them donkey salaries, burn them out, and shit-can them at the first sign of a failing. In such an environment, you would think that code-that-could-think would be considered a boon.

It was.

It turns out that with a sufficiently large dataset from which to learn, and several dozen well-crafted prompts, a true subject matter expert could do the work of 100 people. You could prompt the work of everyone from tier 1 SOC analyst to a seasoned incident responder to a penetration tester. Tie those prompts together like some super-powered IFTTT and you were now addressing problems at near line-speed at a scale heretofore unachievable with hairless monkeys in hard pants. Everyone knew this could be the case, but the big three acted, and that made all the difference in the world.

In six months, the performance ratio of a cybersecurity subject matter expert went from 1:100 to 1:400. By the following Easter it was 1:8000. All hyperbole aside, it was truly amazing.

You don’t need to have a PhD in economics to know what came next. If you were not already an SME, you were shit out of luck. If you worked in security and already had commodity IT technical chops you were lucky if you found a job as a sys admin in some mid-tier SMB with three dozen ancient PCs running software six versions out of date. Everyone else was fucked. Why would I train and pay you when I can whip up a bot that’ll work 24/7 and doesn’t require healthcare? The machines dealt with issues faster and better, didn’t have mental or social issues, and didn’t complain. Second order effects? Why would I pay for all those supporting roles (a/k/a overhead) when the people they were supposed to support were gone? Watch how cheap retirement plans, and healthcare plans, and fringe benefits become when you go from 20,000 people to a few dozen.

Private cybersecurity training companies? Bankrupt. University programs? Shuttered. Certification mills? Done-ski. Body shops? Extinct. There is no point in developing a pipeline of talent when they’re not going to be needed for a generation. And by that time who knows how much more powerful algos would be? Powerful enough to not need people maybe.

Of course, the good times didn’t last for two of the big three either, but it took a minute. See in the old days if you sent 5, 10, 25 people out to respond to a crisis those nerds were all billable. The longer it took the better. Revenues were amazing and margins were healthy.

But in the age of bots, when you responded to that same incident, customers didn’t like that they were being charged human labor rates for bot work. The backlash against the old ways came swiftly. Everyone still made money, but the cybersecurity unicorns had their horns trimmed.

Steve? He made out like a bandit. Steve never employed anyone but Steve, and now that Steve could do the work of a brigade’s worth of people, that wasn’t likely to change. Steve also never charged human labor rates, so the pricing backlash didn’t affect him one iota. Every year or two someone tries to out-Steve-Steve but it never works. Steve is a personable guy. People like him and trust him and he leverages that to the hilt. ‘Why would I go with this other guy when Steve has always done me right?’ He was happy to merely make millions of dollars a year after year after year and not deal with a board of directors or shareholders.

In two months, it will be 2050. The other day I read that someone estimated that there were no more than 2,000 people in the world working in cybersecurity. If they’re all roughly my age, and are in decent health, they can easily do another decade and probably two. Cybersecurity AI is at the point where as we start retiring or dying off, our replacements can be effectively trained by the AI because those of us who remained put ourselves into the gaps that code couldn’t fill. When this all started an LLM was at best a 60% solution. The latest stats I’ve seen show we hit 100% - statistically errorless responses – about four years ago. Mildly surprised all of us meat sacks were not fired at the time, but a VP let it slip that there is still a critical mass of customers who like the feeling that there is a human in the loop, so until that generation retires, we’re probably safe.  

Maybe this is the old man in me talking, but I find myself thinking more and more about all those people who didn’t make it. All those conferences and relationships that are no more. A whole community – dysfunctional as it often was – that doesn’t exist anymore. We all still do a lot of good, however many hundreds of us are left, but its not the same.

At least I don’t have to work for Steve.