Jeremy D’Hoinne and Pete Shoard, VP Analysts at Gartner, highlight how AI and automation are transforming SOCs, reducing junior roles but increasing reliance on senior analysts. Gartner warns against over-automation and urges investment in skill retention, training, and measurable AI outcomes to avoid skill erosion.
Using AI and automation within the Security Operations Center (SOC) is inevitable and to some degree, already present. The vast areas of log data, complex investigational methods, and difficult-to-spot patterns are increasingly challenging to manage. However, achieving complete end-to-end automation of security operations is impossible partly because of the unobtainable requirement for flawless accuracy. The idea that human contributions to SOC responsibilities can be entirely replaced is fictional.
As adoption and prevalence of AI and automation grows, the requirement for entry-level security operations roles might drastically decrease. This shift will impact the ability of junior staff to gain the operational experience needed to advance to senior roles, such as senior incident responder, threat hunter, and red teamer. Consequently, the average time to recruit for senior roles is expected to increase. Gartner predicts that by 2028, security operations skills gap will worsen, with one-third of all senior roles remaining vacant for more than a year.
The aggressive claims that technology can replace junior analysts are leading to overzealous attempts to automate key incident response processes driven by efficiency programs or budget attrition. This rush to automate often occurs without applying quality or rigour to analysis processes. As a result, senior analysts and newly promoted junior analysts are encountering increased volume of pre-processed events, and reduced explainability due to automated processing taking responsibility for more basic tasks.
Reliance on GenAI tools to perform more complex ‘reasoning’ may be used as an excuse to deskilling, exacerbating the high churn rate for senior security roles, leaving many job postings unfulfilled.
To effectively manage the issue, security operation leaders should resist the temptation to present task productivity improvements as outcomes for AI initiatives. Instead, the focus should be on enhancing team dynamics, leveraging existing security metrics, and conducting qualitative evaluations for smaller experiments.
To minimize skill erosion, organizations should implement talent and skills retention programs to reduce senior staff churn. Furthermore, accelerating the progression of junior SOC staff to senior roles is vital by investing in training and long-term retention incentives.
Security operations leaders must define measurable outcomes for AI investments by focusing on team objectives, clearly identifying bottlenecks and explaining relevant security use cases. Critical skills must be safeguarded by integrating regular manual verification as part of initial and continuous training plans.
Gartner analysts will be discussing the key strategies, technology and trends related to security at the Gartner Security & Risk Management Summit, taking place in India and Dubai later this year.
