AI and Shrinking Workforces: New Realities in Cybersecurity

Original broadcast 6/8/25

Presented by Synack

As the cybersecurity landscape continues to evolve, the Department of Defense faces a growing list of challenges—shrinking cyber teams, expanding attack surfaces, and the transformative influence of artificial intelligence. Katie Bowen, Senior Vice President of Global Revenue at Synack, joined Fed Gov Today to explore these issues and offer insights into how DoD and the broader government community can adapt their cybersecurity practices to meet the moment.

A major shift on the horizon is the projected 10% reduction in the cyber workforce at the Defense Information Systems Agency (DISA). For Bowen, the implications are clear and significant. “We’re going to see some far-reaching effects,” she said. “This reduction is going to put more pressure on organizations to adopt cost-effective, scalable solutions—and more importantly, to ensure that those solutions are actually effective.”

Among the most immediate impacts of a smaller cyber workforce is the increased need for automation and modernization of security testing methods. Bowen highlighted that traditional approaches like dynamic application security testing tools have proven insufficient over time. “Those tools have largely failed us,” she said. “That’s why bug bounty programs have become so prevalent. Vulnerabilities still make it to production, and we need better pre-production assurance.”

The growing role of artificial intelligence in cybersecurity could both relieve and complicate the situation. Bowen emphasized the potential of “agentic AI”—autonomous AI agents managing complex security tasks—that could allow smaller teams to accomplish what once required dozens or hundreds of personnel. “We’re going to see AI Security Operations Centers—AI SOCs—come to life,” she noted. “These will enable faster, more precise detection and remediation of vulnerabilities, reducing the time it takes to exploit from days to hours. But this also raises the stakes because adversaries are using AI too.”

This dual-edged nature of AI means defenders must move quickly and deliberately. While automation can reduce alert fatigue and improve the signal-to-noise ratio in threat detection, it also requires a strategic deployment to ensure it’s solving problems and not creating new ones. “Getting clean signals from exploitable vulnerabilities is what we’re focused on,” Bowen said. “And we have to do it faster—because our adversaries certainly are.”

With the rising importance of automation, Bowen stressed that testing the efficacy of zero trust solutions is critical, especially as DoD rolls out and adopts new technologies. She warned against viewing these tools as simple plug-and-play solutions. “They are not,” she said. “Each organization needs to carefully evaluate where a zero trust solution fits in their architecture—and test it rigorously.”

Looking forward, Bowen outlined a set of priorities that she hopes DoD will adopt to navigate this new terrain. At the top of the list is shifting the focus of cybersecurity from outputs—like checkboxes and reports—to outcomes—like actual risk reduction. “We need to understand the true cost of security testing across the department,” she said. “This means measuring what works, not just what gets done.”

Bowen also called attention to overlooked aspects of the cybersecurity equation, like air-gapped networks. These isolated systems are often treated as secure by default, but she cautioned that they deserve the same rigorous testing and protections as internet-facing systems. “There’s often an assumed breach on those networks,” she said. “We have to secure them just as thoroughly.”

Ultimately, Bowen sees the coming years as a time of necessary reckoning for cybersecurity in government. Shrinking teams, rising threats, and disruptive technologies all point to the need for a shift in mindset. “We have to implement a modern, integrated security testing fabric,” she said. “It’s the only way to manage the pace and complexity of today’s threat landscape.”

The takeaway for agencies and industry partners is clear: The cyber threat environment is accelerating, and legacy processes won’t suffice. DoD must embrace AI responsibly, invest in outcome-driven testing strategies, and continually evaluate the efficacy of its tools and approaches. For Katie Bowen and her colleagues at Synack, that means helping the government secure its digital front lines through innovation, precision, and a relentless focus on results.

Key Takeaways:

• Shrinking cyber workforces at DoD, including a 10% reduction at DISA, necessitate smarter, more efficient cybersecurity solutions.

• Agentic AI and AI-enabled Security Operations Centers (AI SOCs) will drive faster detection, but must be deployed with care to avoid new vulnerabilities.

• Effective cybersecurity requires shifting from output-based to outcome-based metrics, ensuring that investments deliver real risk reduction.