We had this worry years ago, and guess what? Nothing is happening in the space that would reduce the number of required security professionals to keep the world spinning.
If anything, more than ever we need security professionals in all disciplines. More applications is developer, more innovation is created by visionaires, more eyeballs we need to test it all.
Unfortunately, we’re not moving in the enough fast pace in the security space, to reduce the costs for businesses of running security operations. They still need to hire highly competent and expensive security professionals.
On the macro scale, nothing has really changed over the past 2 decades. On the micro scale, you have a few companies that are really on top — google, microsoft, facebook, apple, netflix, spotify. These companies really know how to do security well, have incorporated SSDLC and DevSecOps principles to reduce their costs and improve effectiveness. But these companies represent like what — 0.01% companies on the globe? You still have hundreds of thousand of companies who are in deep trouble, because they haven’t ever done any security, and most of them have no intention of doing so.
If you want to see how the world evolves, compare the security posture of an average IT company in US VS Europe. It doesn’t come even close.
Having had worked in US, mostly Silicon Valley based startups, we were doing crazy awesome things, like CI/CD automation, DevOps, securing DevOps, high availability massive deployments in clouds, implementing Secure SDLC into every single phase of SDLC, trying to coach people on DevSecOps principles and creating a lovely culture in which every single person collaborates together as opposed to working in independent silo, which reduces the velocity of the whole company.
And then you go to literally 99% of companies outside of the SV bubble and you see nothing but the same things you could’ve seen for the past decade. Yeah, maybe they’re using different terms now, everything is prettier but at the core — nothing has really changed and you have still XSS bugs all over the place, with software engineers and QA testers having little no to interest/acumen in InfoSec or appsec for that matter.
It’s not even US vs Europe. In reality it’s 10 SV companies VS everyone else. Everyone is confused. People confuse penetration testing with security scans and vulnerability assessments. Nothing is concrete anymore and not in pejorative sense — it created a massive job market and the bandwagon on which you can jump and have a good life. It doesn’t even really take that much to start working in InfoSec anymore. If you’ve got any basic overview of OWASP security testing, there is a ton of companies willing to coach you and get you up to speed internally so you generate revenue for them, regardless of how it’s being potrayed to the customer.
In InfoSec the demand has significantly outgrew the supply, and companies fake it till they make it. They sell vulnerability scans performed by undergrads as a full blown penetration tests. Sure, they’re not able to cheat the old guard and people who’ve been in the dirt, but 99% of companies buying the services are clueless and confused by the amount of fluff that’s all over the web and thanks to marketers who created even more confusion in the space.
So no worries, you, and likely your kids will have work to do. Of course it’ll be evolving and of course it’ll require more in-depth specialisation in a niche, because there is too much stuff to be a generalist in, but still — it won’t come at the rate you expect it to be. If you’ve been a pentester for the past 5 years, you can literally do nothing for the next 7 years career-wise and still have fantastic job and be making horrendeous amounts of money using the skillset you acquired in the past few years + on the job.
It’s never been so good for offensive security professionals as it is now, regardless of their seniority. Get out of the micro-scale bubble and hype of fast paced world and live your life. Nothing is going to be taken from you. At least no anytime soon.