The future of cybersecurity will not only be unrecognizable from today, says David Foote, the company's chief analyst and research partner. Foot Partners LLCit will also be “messy” and “unpredictable” as the A.I. changes the world.
The profession's current focus is on managed services, cloud workloads, endpoints, and identities. But during the presentation in Security Congress ISC2 2025 In Nashville, Tennessee, in late October, Foote said things were about to change.
By 2030, almost every business system, from finance to construction management, will include some form of embedded artificial intelligence agent that makes decisions. These decisions will involve moving money and negotiating with suppliers. As a result, cybersecurity experts will protect everything from smart factories and robots to implantable medical brain-computer interfaces.
“Imagine a world where biology and technology come together and you try to protect it,” Foote said. “It's a completely different world.”
Other systems requiring new protections will include both human-aware and neuromorphic devices. Neuromorphic chips that mimic the neural systems of the human brain are currently being developed by vendors such as IBM and Intel. Systems based on such technology will not only be faster than existing computers, but will also process unstructured data more efficiently.
Threats will come from everywhere
At the same time, important new technologies in the cybersecurity space itself include autonomous securityand quantum encryption. Foote expects quantum computers to be available in just five to eight years, which he says will render existing encryption technologies useless.
“Cybersecurity is becoming predictive rather than reactive and zero trust becomes table stakes is the norm,” Foote said. “You will protect autonomous systems and entities that operate independently outside of your control.”
This means that “threats will come from everywhere, not just from the perimeter, because there is no security on the perimeter – the idea of the perimeter is gone,” he added. As a result, the role of cybersecurity professionals will change from being a “protector” to advising the company on risks and ensuring everyone is involved in managing those risks.
Another result is that the concept of identity will become more important than ever. “First of all, it will be identity, identity of everything,” Foote said. “Identity will become much more dangerous than it is now unless you have properly secured systems.”
The need to embrace change
But while the implications of that future may seem daunting, Foote believes that if cybersecurity professionals are prepared to embrace the changes ahead, he “can't imagine a better, more opportunity-forward career.”
These opportunities will arise because “there will be more cyber attacks with higher costs, huge demand for talent, more room for growth and opportunities to work with ever-evolving technologies, the ability to work anywhere in the world, become self-employed and it pays very well. This is not something I see very often in the universe of IT jobs,” he said.
For example, in case of labor shortage. ISC2 estimates the global skills shortage to be around 4.8 million. Today. What's worse is The World Economic Forum indicates that only 14% of employers are confident they have the necessary talent to achieve their cybersecurity goals..
The key expertise here, which is already in demand today, but will be even more in demand in the future, is soft skills. As AI takes over more and more of the scientific work currently performed by practitioners, those who can communicate and collaborate effectively with business will be especially highly valued.
“In the future, you'll be working with machines, but you'll also be collaborating a lot more with people you've never worked with before, with areas of companies you've never worked with before,” Foote said. “So your ability to work as a team and work well as a team, to change, to learn, to unlearn, to relearn, to fail, to change gears—that's going to be extremely important.”
These skills, including creative thinking, leadership and social influence, resilience, flexibility and agility, will also become increasingly important “as we enter the innovation economy,” he believes. This is because they will be critical in helping companies stay alive.
“In 2030, companies will be wondering whether they can continue to do business after they've suffered a breach so severe that their backup systems are down and they can't even restore them,” Foote warned. “It sounds scary, but you have to be able to protect these things, and that requires you to up your game.”
Demand for generalists with business sense
However, he does not recommend doing this by obtaining additional certifications or recertification, since “that will not help.” Instead, the secret is to develop more business sense rather than technical acumen.
“You will need to attend more business conferences or even HR conferences to better understand what the business wants from you and how deeply involved you will be in decision-making processes that you have never been involved in before if safety is the predominant factor determining whether a company lives or dies,” Foote said.
Another growing shift among employers is the growing interest in so-calleduniversalistsGeneralists have deep technical skills in one or two specific areas, but also have interdisciplinary literacy and an understanding of the business context.
“Companies want someone who has intelligence, incident response, AI security, identity, industrial control systems—they want that in one person, and they also want them to have broad domain knowledge so they can work across the entire company, not just in one place,” Foote added.
Interestingly, he says, between now and 2030, employers will become less interested in “the smartest technologist in the room.” Instead, the focus will be on finding professionals who can “shift machines, risks and regulations… and business goals while keeping your team healthy and efficient.”
The key here, says Foote, is that “work becomes more human as tools become more automated.” This more human work includes understanding the risks, consequences and ethics of AI.
How to deal with change at the top
Meanwhile, another shift at the highest level of cybersecurity echelons has been the emergence of the position of chief information security officer (CISO). Due to high levels of burnout among former CISOs who have since left the profession, the office has two complementary leaders. Each of them can demonstrate experiences and strengths that are often difficult to find in one person.
The first is a technical specialist who manages and supports the cybersecurity team. The second is more business-oriented, often a former internal consultant who focuses on strategy and interacts with senior management and stakeholders.
Deirdre Diamond, founder and CEO of a recruitment consultancy, made a similar move. CyberSNOver the past few years, we have seen the creation of security director positions. “It used to be that there were just CISOs, engineers and analysts, but nothing in between,” she said. “There are no potential clients, no security directors, and that involves investment.”
Many of these security directors are focused on strategy, and in some circles are being called “chiefs of staff” for the first time. Diamond believes the role is typically related to governance, risk and compliance, or architecture, and believes the role will become increasingly “critical to truly staying on top of cyber capabilities and the speed at which change occurs.”
“They have a responsibility to not only take the strategy and make sure it's implemented, but also to show where the gaps are in that strategy, where the cyber capabilities are, and staying on top whenever there's a movement or a change. It's a big job,” she said.
Success equals well-trained and motivated staff.
Further down the ladder, Diamond pointed to the decline in the number of new employees employers have hired in recent years – which she called “a challenge for all of us because these are our future people.”
For example, the number of organizations hiring interns has declined over the past three years. But that's not due to a lack of willing candidates, but rather a lack of people and time to train them in-house, “unless they're Fortune 250 or higher,” she explained.
“This problem is still our problem and it hasn't gone away,” Diamond said. “If anything, it's gotten worse because for the first time in the last 18 months we've started outsourcing cybersecurity to other countries, quite frequently, which means we're training people there, which means we have fewer qualified people here.”
To make matters worse, there is also a significant shortage of very qualified engineers or architects, with professionals taking five to eight years to reach this level.
“It's a long time. So, there is a real skills shortage, and it's certainly a training issue,” Diamond said. “Even the firms that have the money for training and the budget, people just don’t have the time to take advantage of it.”
But Foote believes that, ready or not, change just has to happen, and that means cybersecurity professionals need to be ready. He believes they have about 12 months before organizations become clearer about what they want and need in terms of AI to get a return on investment, develop appropriate business plans to achieve that goal, and staff accordingly.
But the secret to success in this new world will be more than just protecting systems, he said. It will be about creating safe ecosystems, ethical AI policies, and a sustainable culture that, most importantly, is based on a well-trained and motivated workforce.
