The Bench You'll Need in Three Years Depends on Decisions You Make Now

Today’s entry-level security analysts and engineers will become the mid-level talent available to hire in three years. As AI-native security tools automate alert triage, report drafting, and other repetitive work, that talent pool is contracting. Security analyst postings — the most common starting point in the field — fell roughly 25% between 2022 and 2024, according to CyberSN’s analysis of 45 cyber job functions. The downstream effects are predictable: hiring gets harder, benches get thinner, and fewer people are ready to step into more senior roles.

But this is only part of the story; there isn’t a shortage of people interested in security. It’s a mismatch — a widening gap between what organizations need and what the available pool has been trained to do. Entry-level roles were the mechanism the industry used to close that gap over time. Eliminating them doesn’t eliminate the gap. It just stops the repair. For CISOs and other security leaders, this is an early warning sign of a problem that will eventually show up in hiring, provider quality, and bench strength. If the old entry path is narrowing, what replaces it?

Today’s Hiring Shortcut, Tomorrow’s Talent Shortage

Whether you are buying security services or building a lean internal team, the future quality of both depends on whether someone is developing the people who grow into senior roles. For midsize organizations, a talent-pipeline problem can turn into an operating problem quickly. Lean security teams with constrained budgets, one or two external security providers, and no real depth on the bench do not have the same options as larger organizations. Bigger companies can absorb a hiring drought by promoting internally, running rotational programs, or simply outbidding the market.

This is a structural shift in the industry, and the capital flowing into AI-native security makes that visible. In a recent survey of 125 U.S. cybersecurity investors, 42% said reducing total cybersecurity spend is the strongest driver of enterprise AI adoption. The highest-conviction investment area was SecOps: automating alert triage, reducing analyst workload, and addressing the shortage of skilled security talent. 85% also said they want decisive proof of returns within three years. 

The operational stakes of getting this wrong are concrete and immediate. Attackers can now get in, execute, and exit within a 30-minute window. Threat actor dwell times have collapsed. The most damaging incidents play out faster than most security teams are currently equipped to respond to — not because the technology isn’t there, but because the experienced people who know how to use it under pressure aren’t. The talent-pipeline problem and the response-readiness problem are tightly connected.

The market is rewarding labor compression in exactly the parts of security that used to serve as feeder roles. Entry-level pathways will not survive as a byproduct of optimizing for efficiency. If they survive, it will be because today’s security leaders decide they matter enough to protect.

Analysts Aren’t Learning the Hard Way

Most tier-1 analyst work is repetitive and high-volume, which is exactly what automation should absorb. The real loss is what that work used to develop: judgment. Advisory roles, incident response leads, and the analysts your providers rely on for informed decisions did not appear overnight. They developed through repeated exposure to alerts, triage decisions, false positives, ambiguous signals, and real incidents. Pattern recognition, triage instinct, and the ability to separate noise from signal under pressure are built through experience, not produced by training alone. 

Call it judgement under uncertainty or call it the ability to hit a wall and find a way through it: dig under it, go around it, or break it down if necessary. That quality comes from being put in situations where you have to figure things out without a playbook, repeatedly, until the improvisation becomes instinct. That’s what’s at risk of disappearing.

AI can compress part of that learning curve. It cannot replace the accumulated context that comes from working through messy situations repeatedly. The goal is not to preserve a job category for its own sake. It is to preserve the developmental function that category used to serve: the learning, the judgment-building, and the path into more senior work. If automation is absorbing the old vehicle for that development, security leaders need to decide what the new one looks like.

If Entry-Level Roles Disappear, What Replaces Them?

There is not a single replacement for the old entry-level role. But the building blocks of a better on-ramp already exist, and security leaders do not need to invent them from scratch. The new path will be some combination of structured training, supervised AI-assisted work, broader ways of recognizing skill, and new early-career roles.

Apprenticeships and structured early-career programs can move the developmental function of tier-1 work into a more deliberate format. IBM, Microsoft, and a growing number of Department of Labor-registered programs are already combining supervised work with structured skill development. For midsize organizations, the question is whether to participate in those pathways or assume someone else will build the pipeline they will later need to hire from.

Most security organizations are already handing people access to AI tools and expecting them to learn by using them on the job. The gap is in whether that learning is supervised and deliberate — or just assumed to happen on its own. Structured programs help, but are people using the tools that actually define their jobs now? AI can shorten the learning curve, but only if the supervision is real. If AI strips juniors out of the workflow, the developmental problem remains.

The Skills That Actually Predict Security Performance

Security leaders can also broaden what counts as proof of ability. Capture-the-flag (CTF) performance, bug bounty history, home lab work, open-source contribution, and cyber range participation often demonstrate more practical capability than degree filters, certification screens, and checklist hiring. Expanding what to look for does not mean lowering the bar. It means recognizing skill and mindset in the forms they actually take.

Among early-career candidates, technical skills are often table stakes. The real differentiators are initiative, impact, and human skills, which are more scarce than they should be in less seasoned candidates, and more predictive of long-term performance

New AI-era entry categories are also starting to emerge. LLM security testing, AI red teaming, governance and validation work, exception handling, and investigation review all require technical instinct, but not necessarily years of senior tenure. Many organizations have not defined these roles yet, which is exactly why they are worth defining now.

Where Do I Start?

For midsize security leaders who don’t know where to begin:

1. Start by preserving at least one supervised junior seat instead of eliminating every entry-level role as AI absorbs repetitive work. A single well-structured position, with real supervision and deliberate skill progression, keeps a development function alive without requiring a formal program.
2. Redirect some of the efficiency gains from AI-native tooling toward an apprentice, a rotational seat, or a junior-plus-copilot model. If automation is reducing analyst hours, some of those savings can help fund the bench you will need to hire from in three years. That is a practical investment, not philanthropy.
3. Consider broadening your hiring screens. CTF performance, bug bounty history, and home lab work can often tell you more about capability than years-of-experience filters and certification requirements.
4. Ask your security vendors: does your operating model create a path for junior security talent to develop, or is it mainly built to remove that layer of work? Companies that optimize only for labor efficiency may improve their own economics while shifting the long-term cost to the broader talent pipeline. That is worth understanding before you buy or renew.

You do not need a giant program. You need an intentional one.

The Talent Pipeline You Get Is the One You Build

AI is not narrowing the talent pipeline. Passive optimization is. If AI is used only to compress labor, the pipeline narrows with it. If it is used to redesign how people enter, learn, and mature in the field, the outcome can look very different.

It is not a choice between AI and people. It is a choice between using AI only to reduce headcount, or using some of those gains to build a better path into the field, which requires a decision. 

The organizations that find and develop impact-oriented people will build the bench they need. The ones that optimize only for efficiency will eventually find out exactly what they gave up to get there.