Working and Playing Well with Our New Cybersecurity Co-workers
About a year ago, I caught up with Mark Newhouse about his current work as a full-stack developer. Inevitably, our conversation turned to AI and cybersecurity. “You know, I don’t see the big fuss about AI, really” he said. “I looked into it pretty carefully for a few weeks,” he said at the time. “It’s not ready for prime time.” Mark told me that he had been working with Anthropic’s Claude a bit, making the tool part of his work schedule. He didn’t end up using any of the code directly in his work, so he pretty much dismissed the whole thing.
I was particularly interested in his perspective, because he has an open mind about things, and he has a tremendous amount of experience. I was also interested in his perspective, because AI is slowly changing many tech workflows, including the software development lifecycle.
A change in perspective: Secure software development
Well, about 2 months ago, I caught up with Mark again. His story and general attitude had changed in three significant ways: First, he said that Claude had radically improved its ability to generate high-quality code. Second, Mark had looked more deeply into Anysphere’s Cursor, and its ability to use agents. He found those particularly useful. Third, he told me that he had to change his perspective as a developer a bit over the last few months. How? He told me how his boss had been asked to think more in terms of cybersecurity.
This third development is a pretty big deal. Why? Because Mark is part of a larger trend. Developers have traditionally been relatively dismissive of traditional cybersecurity. Developers are usually pressured to focus on innovation and customer experience, rather than cybersecurity. So, when his boss asked him to think more about cybersecurity, that really caught my attention. I think that this request from Mark’s boss is a micro-instance of a transformation in the developer’s job role: They’re now being asked to focus more on cybersecurity. This is a big deal, and a change in a critical workflow: The software development lifecycle. For all of the talk about secure software development, there is increasing evidence that this is beginning to actually happen.
Such changes in workflows, frankly, aren’t very easy to navigate alone. Mark needed help. In this case, help arrived in the form of an AI assistant. Years ago, that assistant would be a relatively expensive and time-consuming conference with cybersecurity professional. But, Mark didn’t do that, at least not initially.
Transforming a developer’s mindset: New requirements, more capable co-workers
Specifically, Mark configured an agent within the Cursor to check his code for some of the OWASP Top 10 categories. He told me that using the agents helped him fulfill his boss’s request, save some time, and become a bit more conversant in cybersecurity. Mark then told me he took the resulting output and suggestions from the agent into a meeting with a cybersecurity professional. He found that he could now work more quickly with “the cyber dude” as he checked Mark’s code. “Everybody wins when I use AI this way,” he said. It saved time. Everyone delved deeper into the implications of the code he was creating. The company could remain creative and nimble. But, it could also move forward with more confidence now that everyone knew cybersecurity issues had been addressed up front. This is a big deal. Why?
Mark is an example of a few growing trends: First, the most progressive individuals and organizations are very deliberately investigating the efficacy of AI. Mark isn’t the only person. I’ve seen this same deliberate (some would use the terms “slow” and “glacial”) approach over the last year in organizations as diverse as Nestle, State Farm, HSBC bank, AstraZeneca, ING, the UK Army, and the US Department of Defense. They’re slowly beginning to use it directly in their work and in their workflows.
Second, Mark sees AI as a co-worker that helps him work more securely. This is very important. Third, AI provided Mark with what he called “guardrails” that allowed him to code more securely. One of the biggest business process workflow issues in the cybersecurity and tech space is the constant stream of problematic code entering into the attack surface. Mark’s story shows me that the entire IT industry – developers included – are beginning to change workflows and improve the quality of the code, tools, and processes that create our modern technical world. That’s encouraging.
Join in on the fun at the HI-TEC conference!
If you’re interested in learning more about what we’ve discovered concerning working with our AI co-workers, you can join with me at the HI-TEC 2025 conference in Minneapolis July 23rd at 1:15-2:00 p.m. I’ll be discussing a few more case studies about how the cybersecurity profession is embracing AI in truly productive ways. I’ll discuss some of the ramifications involved in our current use of AI. I’ll be discussing some of the things we’ve been learning from the CompTIA State of Cybersecurity 2025 and Workforce and Learning Trends 2025 reports. See you there!