The Security Workforce Problem That Hiring Won’t Fix
The Security Workforce Problem That Hiring Won’t Fix
https://www.cybersecurity-insiders.com/the-security-workforce-problem-that-hiring-wont-fix/
Publish Date: 2026-06-27 04:24:00
Source Domain: www.cybersecurity-insiders.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Most security leaders have done the logical thing with AI. They have automated alert queues, added machine learning to vulnerability-management pipelines, and integrated AI into the SIEM. The immediate benefits can be significant: response times can improve, routine work might move faster, and analysts may spend less time on tasks that do not require their full attention.
The team structure, however, often stays the same. There is enough happening day to day without adding a workforce redesign to the list, and the existing model may not appear broken. The dashboard is improving. More work is moving through the function. The automation seems to be doing what it was intended to do.
The disconnect usually emerges more slowly. Security leaders may see better volume and efficiency metrics while still feeling that the function is not meaningfully stronger. Senior analysts are spending more time reviewing machine-generated output than conducting the deeper investigative work their experience should enable. Less experienced analysts are moving through workflows shaped by automation without always gaining the exposure that helps them develop pattern recognition and independent judgment.
The tools may be working exactly as designed. The issue is that many security teams are still organized around how the work looked before automation took on a significant share of the operational load. That creates a workforce problem that hiring alone will not solve. Organizations are often adding automation to an existing team structure rather than redesigning the structure around the new division of labor between people and machines. The result can be more efficiency without more resilience, and more capacity without a clearer path for building or using expertise.
The Question Security Leaders Need to Ask Now
The question extends beyond simply how much work can be automated to what kind of human work remains, where it should sit, and how organizations will ensure people are still developing the expertise needed to challenge the technology when its conclusions do not hold up.
That requires distinguishing among three different types of work that are often still grouped together as “analyst work.”
Some work can run largely through automation with limited intervention. Routine enrichment, repetitive correlation, and initial prioritization can often be handled by technology more quickly and consistently than by a person working through the same activity manually.
Some work requires a human to validate what the machine has produced. This includes reviewing automated triage decisions, checking whether a severity score matches the broader business context, and identifying whether a recommendation makes sense based on the facts available.
Other work requires deeper human ownership. Complex investigations, threat modeling, adversarial reasoning, incident response decisions, and risk judgments that affect the business cannot be reduced to a machine-generated queue. They depend on experience, context, skepticism, and the ability to recognize when a familiar signal may mean something different than it appears to mean.
These are fundamentally different forms of work. They require different skills, levels of experience, and career paths. Yet, many security teams still ask the same people to toggle between all three throughout the day, depending on what lands next in the queue. That is how a senior threat analyst can end up spending half an afternoon validating routine automated outputs that a more junior person could handle with clear guidance and escalation criteria. It is also how an early-career analyst can move quickly through an automated workflow without developing enough practical context to recognize when the system’s recommendation does not make sense.
In both cases, the organization is using talent inefficiently. More importantly, it may be creating what can be thought of as an expertise debt: the work becomes easier to process today, while the organization becomes less deliberate about how it develops the judgment it will need tomorrow.
Automation Changes More than Workload
The cybersecurity workforce conversation is still largely framed around shortage: open roles, certification gaps, competition for experienced professionals, and the challenge of hiring quickly enough to keep up with demand. Those are real pressures, particularly as organizations expand their attack surfaces and face increasingly complex threat environments. But workforce planning should never stop at headcount.
If a security function remains organized around a pre-automation model, adding more people may simply create more capacity inside a structure that no longer makes sense. The organization may have more analysts processing work, but no clear differentiation between the work that needs experienced human judgment, the work that can be validated by trained junior talent, and the work that should no longer require regular human attention at all.
The subtle, but likely greater, risk is what happens to the development of expertise over time. Many security professionals built their judgment through volume. They saw recurring issues, worked through ambiguous cases, made mistakes, and began to understand which details mattered when something did not fit a familiar pattern. Automation can remove much of that first-pass activity. That is often the point. But it also means organizations need to be more intentional about how people gain the exposure and context that repetitive work once provided.
Without that intentionality, junior analysts may become highly capable at operating security tools without becoming equally capable of interrogating the outputs those tools produce. Senior analysts may become exception handlers or validators rather than spending more of their time on the difficult work where their experience adds the greatest value. Over time, a team can become faster at moving through machine-generated activity while becoming less prepared to identify the unusual threat, weak signal, or flawed assumption that falls outside the model’s learned patterns.
What a Better Workforce Model Looks Like
The strongest security organizations are beginning to make a more deliberate distinction between operational processing, human validation, and strategic security judgment. Rather than creating a large new layer of roles or rebuilding the entire organization at once, however, it’s best found in being explicit about where work belongs and why.
Routine work should be automated wherever technology can handle it reliably. But leaders should also establish a validation layer rather than if a person clicks “approve” somewhere in the workflow it constitutes human oversight. Someone should be accountable for testing whether automated triage decisions align with what later investigations reveal, someone should review patterns in activity the system downgraded or dismissed, and someone should be examining whether severity scores remain accurate as attacker behavior, business operations, and technical environments change.
That work is a core security function, and it should be reflected in role design, capacity planning, and performance expectations. Organizations also need to redefine what senior talent is there to do. The value of an experienced security professional is not simply that they can process more complex alerts than a junior analyst. It is that they can see across systems, question assumptions, understand business impact, and make decisions when the available evidence is incomplete or contradictory.
The more automation takes on routine work, the more senior roles should move toward investigation, threat anticipation, assurance, incident leadership, and the design of stronger controls. Those professionals should be helping shape how automation is used, where it should be challenged, and what types of risks should never be treated as fully automated decisions.
At the same time, organizations should build clearer development paths for earlier-career talent. That may include structured review of cases that automation deprioritized, rotation through investigations, mentorship tied to real incidents, and explicit training in how automated systems make recommendations and where their limitations appear.
Measuring the Right Outcomes
Security leaders will also need to measure more than speed, volume, and cost reduction. While those metrics continue to matter, they don’t fully capture whether a workforce model is working. More useful questions include whether automated conclusions were later proven wrong, how quickly any errors were discovered, what human insight surfaced them, and whether the team is becoming more capable of identifying gaps in automated decision-making over time.
Organizations should also look at how work is distributed. Are senior analysts spending their time on the highest-value decisions? Are junior analysts developing the skills needed to take on more complex work? Is there a clear owner for validating automated output and translating what the team learns back into the security program?
Those are the questions that get at whether the organization is building a security function that can adapt as the technology, the threats, and the business continue to change. That is the cybersecurity workforce challenge in front of leaders now, and it’s much larger than finding more people. It’s comprehensive across deciding and redefining what people are there to do, how they will grow into the work, and how the organization will ensure that human expertise remains active rather than “box checking.”
Join our LinkedIn group Information Security Community!
