“GenAI lays the foundation for preventive security. It can transform an organisation’s approach to security, by enabling faster analysis, decision-making and guidance, cutting through complexity, so security teams can stay ahead of attackers.”
Staff Research Engineer, Tenable
Scott Caveza joined Tenable in 2012, and is currently a member of the Security response team, helping the research organisation respond to the latest threats, previously he was leading the Security Response team and the Zero Day Research team.
Speaking with CIO&Leader he talked briefly about the current unemployment conditions in tech industry and exactly how much GenAI is a factor in the concerning gap between the demand and talent, and new threats in the evolving IT landscape.
During the conversation Scott shared his opinion on ethical use of AI without regulations. “Organizations should not wait for regulations but must develop AI governance policies to ensure the ethical use of data and AI,” he mentions.
CIO&Leader: According to the World Economic Forum, the global talent shortage, which spans nations, states and industries, could reach 85 million workers by 2030. Why is there such a gap between the ongoing demand and the shrinking talent?
Scott Caveza: The gap between cybersecurity demand and talent is driven by several factors. Rapidly evolving cyber threats outpace the supply of skilled professionals. Education and training programs often fall short in preparing candidates with the necessary expertise. The field’s high-stress levels lead to burnout, causing attrition. Additionally, a lack of diversity limits the talent pool, and the complexity of certification pathways can be a barrier. As cybersecurity becomes crucial across industries, the demand intensifies, making it harder to find qualified professionals who can keep up with the pace of technological change and the increasing sophistication of threats.
CIO&Leader: The prevailing sentiment regarding AI is that it will eventually replace jobs, despite assurances from numerous technology leaders who argue otherwise. Nevertheless, skepticism persists. What is your perspective on this issue, and in what ways can Generative AI contribute to reducing the unemployment gap?
Scott Caveza: AI won’t replace jobs, but those who embrace AI will outpace those who don’t. GenAI is quickly becoming a tool to bridge the cybersecurity skills gap, at least in the short term. Consider the current situation: 21% of organisations face a significant shortage of cybersecurity staff, and another 46% have a moderate shortage. Without skilled workers, managing cyber risks is tough. GenAI can help solve this by acting as a force multiplier, enabling resource-strapped teams to troubleshoot and proactively identify and fix security issues before they escalate into major attacks.
CIO&Leader: Unlike Europe with its AI Act, only very few countries have laws regulating artificial intelligence. How can organizations ensure the data used to train their models is ethical in the absence of such regulations?
Scott Caveza: Organisations mustn’t wait for regulations to be passed to incorporate ethical data protection practices into their workflows. While regulation is necessary to a certain degree, in the absence of it, organisations must curate AI governance policies to ensure the ethical use of data and AI. It’s also important to assess and address the social impact of AI use, while ensuring that AI is not used beyond what it is proven to do correctly, especially for unethical outcomes.
CIO&Leader: Is there any way to move towards the path of technological evolution with both cybersecurity and ethical regulation hand in hand?
Scott Caveza: Cybersecurity depends on defence and trust, but AI’s lack of transparency challenges this. Some AI models, especially deep learning ones, work like a “black box,” making their decision-making processes unclear. Intellectual property protections often prevent full transparency, which can be problematic when unexpected outcomes occur. This lack of clarity can undermine trust and create challenges for security professionals. To address this, it’s essential to build security into AI models from the start, ensuring that ethical practices and cybersecurity are aligned.
CIO&Leader: How secure is the cloud in 2024? Can you tell me more about the recently released Vulnerability Intelligence and Exposure Response feature by Tenable?
Scott Caveza: Cloud deployments are an organisation’s blindspot. Effectively securing the cloud requires looking across every aspect of potential risk exposures including vulnerabilities, cloud misconfigurations and identities. Even cloud-native organisations find it difficult to detect and remediate cyber risks in their cloud. To gain control over cloud security gaps, organisations must be able to discern the most critical risks and set priorities, and do so on a scale. This requires integrated, comprehensive risk analysis across all parts of the cloud infrastructure and automation of both the detection of risk and its remediation.
Towards this end, Tenable recently announced the availability of Vulnerability Intelligence and Exposure Response, two powerful context-driven prioritisation and response features. The combined power of these features contextualise vulnerability data from internal and external sources, enabling organisations to close the exposures that pose the greatest risks to their businesses. It offers seven curated exposure risk categories to proactively surface key exposures that need further review by highlighting CVEs under CISA-known exploits, active exploitation, ransomware campaigns, emerging threats in the news and more. Natural language search ensures security teams can look for specific vulnerabilities by CVE number or common name, review the context available and the impacted assets. It paves the way for targeted campaigns so that organizations can prioritize and mitigate critical vulnerabilities, ensuring resources are deployed efficiently.
CIO&Leader: In upcoming years, what is the biggest challenge the IT industry is going to face?
Scott Caveza: As more organisations migrate to the cloud, cloud security will become a top priority, making effective cybersecurity solutions essential. However, history shows that despite new technologies, some attack tactics persist because they work. Despite new technological challenges, organziations are routinely plagued by missing security patches, incorrectly configured cloud assets and identity and access control failures, introducting risk to their assets. The combination of old methods with new and emerging threats will lead to a new era of preventive security.