The most recent ISC2 Cybersecurity Workforce Study confirms a shift that many cybersecurity professionals have been feeling for years: that artificial intelligence (AI) has moved from experimental tooling into the operational core of security teams. With 28% of organizations integrating AI security tools, 19% actively testing them and another 22% in early evaluation, nearly seven out of 10 security teams are on the path toward routine AI use. Here’s what that looks like in practice, according to Gerhard Kessel, CISSP.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
The transformation of AI from “experiment” into “operational core” heralds a structural change in how cybersecurity work is performed. But it isn’t just about faster tools. It’s about re-platforming core cybersecurity roles around AI systems. It’s my view that Security Operations Center (SOC) analysts and incident responders face a redefinition of responsibilities that will depend on how successfully teams adapt to AI’s central role.
From Alert Processing to Decision Engineering
For decades, SOCs focused on volume, on human analyst-triaged floods of logs, alerts and telemetry. That model was stressed even before AI arrived. ISC2’s Cybersecurity Workforce Study found that nearly half of cybersecurity professionals are exhausted by the pace of threats and technology, and 47% are overwhelmed by their workload.
In this context, AI enters our environment not as a luxury but as a necessity. The study showed that respondents expect AI to deliver its fastest benefits in network monitoring (40%), security operations (30%), security testing (30%), vulnerability management (29%) and threat modeling (28%). These are precisely the areas that generate the largest volumes of repetitive, time-intensive work.
As AI systems handle correlation, enrichment and anomaly detection, the nature of frontline cybersecurity work changes. SOC analysts become supervisors of AI-driven detection pipelines rather than manual processors, their role evolving towards tuning detection logic, validating outputs, handling edge cases and escalating critical events. In effect, the SOC becomes a decision engine.
Incident responders experience a similar transition. AI-driven investigation platforms can assemble timelines, identify affected systems and suggest likely root causes in seconds. Our human expertise is still required for deciding how to act, whether to isolate systems, restore services, notify regulators, or escalate to leadership. These decisions are not just technical; they are business, legal and operational judgments.
Experience Density Is Now a Security Control
A key – often misunderstood – insight is that AI amplifies, rather than replaces, our human expertise. The effectiveness of an AI-enabled SOC depends not just on having AI, but on maximizing the judgment of experienced senior professionals who supervise it.
Senior cybersecurity professionals offer pattern recognition and institutional memory that models cannot match. They know how breaches unfold, how controls fail, how organizations react and how attackers adapt. This experience helps them weigh signals, filter noise and prioritize true risks.
Yet the ISC2 study underlined that economic pressure continues to drive layoffs, budget cuts and hiring freezes, especially in large enterprises. When organizations reduce headcount in ways that disproportionately remove experienced senior practitioners, they undermine the very human control layer that makes AI effective.
In an AI-enabled SOC, losing senior professionals directly increases operational risk. AI can surface patterns, but only experienced humans distinguish breaches from misconfigurations or anomalies. Automation accelerates mistakes as efficiently as it accelerates detection without that judgment layer.
Why Skills Matter More Than Headcount
For me, this shift explains why skills now eclipse pure staffing levels as the most critical issue for security teams. Nearly two-thirds of respondents report critical or significant skills gaps and 95% reported at least one skills deficiency. AI and cloud security remain the top two in-demand skills. Thus, teams that cannot develop essential skills will not realize AI’s promised benefits and the organizations they are supposed to help protect will experience intensifying operational risk as traditional career paths erode.
As AI automates the mechanical aspects of security work, the value of higher-order skills increases. Detection engineering, cloud architecture, risk modeling, governance and strategic security design become more important, not less. These are areas where mistakes carry real consequences and where human judgment cannot be replaced by automation.
This is also why we cybersecurity professionals remain optimistic about AI’s impact on careers. More than 70% said AI will create demand for more strategic and specialized roles. Rather than eliminating jobs, AI shifts demand toward professionals who can design, supervise and govern intelligent security systems.
The Collapsing Apprenticeship Model
Cybersecurity careers once advanced through exposure: help desk, system administration, junior analyst, senior analyst, then architect or leader. Entry-level professionals learned through real incidents and tasks.
AI is now automating much of the work that once required trained junior staff. Log triage, alert validation and basic investigation — the traditional apprenticeship layer — are increasingly handled by machines. This means that while overall headcount may decline, the need for structured AI-era apprenticeship models becomes more critical than ever.
My prediction is that entry-level roles will not disappear, but they will evolve. Instead of filtering alerts, they’ll supervise models, validate outputs and run simulations. They will help train and maintain AI for SOCs, raising the bar for entry work and heightening the need for formal training and senior mentoring.
The Year the SOC Changes… Or Breaks
The ISC2 study captured a profession at a tipping point. AI is driving rapid evolution, but success depends on pairing technology adoption with investment in experienced senior professionals. It’s clear to me that focusing only on automation will undermine security’s core mission.
SOC analysts and incident responders are not being automated out of a job. They are being elevated into roles that require greater judgment, deeper technical expertise and more strategic thinking than ever before. AI systems can correlate signals and surface anomalies, but only experienced senior professionals can determine whether those signals represent noise, misconfiguration, or the beginning of a major breach.
This is why experience density matters as much as tool capability. Yes: AI can process data at scale – but only experienced professionals can manage the cognitive complexity of risk, context and consequences. Without that layer, automation amplifies mistakes faster than humans can detect them.
So, organizations must shift now from simply responding to cybersecurity alerts to engineering trust in intelligent defense systems. Retaining and empowering experienced senior security leaders is essential for effective AI use, which can greatly enhance resilience. Conversely, neglecting this strategic investment risks that automation will exacerbate vulnerabilities rather than reduce them.
How Leaders Should Respond
As security leaders, the challenge for us is no longer whether to adopt AI, but how to do so without eroding workforce readiness and resilience. ISC2’s study data points to, I believe, four priorities.
- Organizations must allocate time and budget for continuous learning. Nearly a third already allow professional development during working hours, and a quarter fund internal training. These investments are essential as AI reshapes workflows.
- Governance, model oversight and policy enforcement are now core security disciplines. AI without experienced professionals in the loop doesn’t make security safer — it makes failures harder to see.
- Leaders must also measure what matters. Productivity gains should show up in reduced alert backlogs, faster detection and response, lower false-positive rates and stronger control coverage. If those metrics do not improve, AI is being misapplied.
- Finally, leadership commitment is critical. Only 32% of respondents said their organizations prioritize cybersecurity as a critical business function. AI-driven security cannot succeed in organizations that treat cybersecurity as a cost center rather than a resilience function.
On top of these four priorities, these are the questions that I think security leaders and executives should be asking (and making sure we have answers to):
- If AI is now doing most of the detection and correlation, who in the organization has the authority — and experience — to overrule it when the model is wrong?
- Have we preserved enough senior cybersecurity expertise to supervise automation? Or, have cost reductions quietly removed the people who understand what really matters?
- Are we using AI to reduce workload, or are we using it to mask structural underinvestment in skills, training and leadership?
- As security becomes more automated and specialized, how are we building the next generation of professionals who will one day be trusted with these systems?
- If regulators, customers, or boards asked us to explain a major AI-driven security decision tomorrow, could we clearly articulate why the system acted — and why we allowed it to?
As AI becomes part of security operations, our organizations face new decisions. Our success depends on who governs, supervises and trains, not just on technology.
Gerhard Kessel, CISSP, has more than 20 years of experience across federal healthcare, state government, global logistics and Fortune 5 enterprise environments. He has held technical, architectural and program leadership roles, with responsibility for enterprise security design, operations and governance. His cybersecurity work spans network visibility, medical device and OT security, and federally regulated compliance frameworks.


