Last week at RSA—the security industry’s largest conference—Andrew McAfee, co-author of “The Second Machine Age: Work, Progress and Prosperity in a Time of Brilliant Technologies”, introduced the trifecta of geeks, machines and outsiders as technological innovation’s driving factors. However, after listening to numerous panels and talks during the week that glossed over or downplayed the relevance of geeks, machines and outsiders in moving the security industry forward, it was impossible to miss the irony of McAfee’s argument.
So using the criteria of geeks, machines and outsiders as the driving factors in technology innovation, how does the security industry fare? Based on my week at RSA, here is my assessment:
- Geeks: By geeks, McAfee refers to people who are driven by evidence and data. Despite the buzzword bingo of anomaly detection, outliers and machine learning, it is not apparent that the implementation of data science has evolved to the point in security that it has in other industries. This might be shocking to insider experts who find that data science has almost reached its peak impact in security. To the contrary, as one presenter accurately noted, data science is, “still in the dark ages in this space.”
Most data science panels at RSA devoted entire presentations to non-technical and bureaucratic descriptions of data science. In fact, one presenter joked that the goal of the presentation was to only show one equation at most, and only in passing, in order to try to maintain the audience’s attention. While the need to reach a broader audience is understood, panels on similarly technical topics such as malware detection, authentication or encryption dove much deeper into the relevant technologies and methodologies. It’s unfortunate for the industry that the highly technical and complex realm of data science is not always granted the same privilege.
Incorrect assumptions about data science were also prevalent. At one point during one of the talks, someone commented that “the more data you have, the higher the accuracy of the results.” Comments like these perpetuate the myth that more data is always better and ignore the distinction betweenprecision, recall, and accuracy. Even worse, the notion of “garbage in, garbage out”, which is taught at any introductory level quantitative course, did not even seem to be a consideration.
Finally, security companies seem to buy into the notion that data scientists are necessary for the complex, dynamic big data environment, but they have no idea how to gainfully employ them. During one panel, a Q&A session focused on what to do with the data scientists in a company. Do you partner them with the marketing team? Finance? Something else? It was clear that data science remains an elusive concept that everyone knows they need, but have no idea how to operationalize.
- Machines: Ironically, it was a data science presentation that, although short on real data science, provided the strongest case for increasing human machine interaction in security by illustrating its success in other industries. In his own argument about machines as a driving factor in technology innovation, McAfee pointed out that companies that ignore human-machine partnerships fall behind. This remains a dominant problem in the security industry, as the numerous high-profile breaches of the last few years illustrate.
Unlike in many other extraordinarily technical fields, the human factor is often overlooked or ignored in security. Whether it’s boasting thousands of alerts a day (which no human could ever analyze), or the omnipresent donut/pie chart visualization which is the bane of the existence of anyone who actually has to use it, the human factor approach to security—like data science—lags well behind other industries. While there was an entire RSA category devoted to human factors, the vast majority of those panels were focused on the insider threat, rather than on the user experience in security. The importance of the human-machine interplay is simply not on the security industry’s radar.
- Outsiders: McAfee’s last point about outsiders emphasizes the erroneous mindset in some industries that unless you grew up and are trained in that specific field, you have nothing to offer. Instead, industries that are open to ideas and skills from other fields will have the greatest success in the foreseeable future. This perspective has actually been the driving force of creative innovation throughout time. The wariness (and at times exclusion) of outsiders in the security industry is extraordinarily detrimental not only to the industry, but to corporate and national security as well. It impedes cooperation at the policy level and innovation within the security companies themselves. Although not commenting on the security industry specifically, McAfee reiterated the foundational role of a diversity of views and experiences, working collaboratively together, to foster innovation and paradigm shifts.
This preference toward industry-insiders is the driving factor limiting the integration of data science and human-machine partnerships and hindering security innovation. The response to McAfee himself was perhaps indicative of the industry’s perspective on the issue of outsiders. McAfee was the last keynote presenter of the day. Many attendees sat through a series of talks by security insiders, but unfortunately left when it came time for an outsider’s perspective.
Changing an embedded mindset can be even harder than developing the technical skills. This is especially apparent in the security industry, which has yet to figure out how to take the great advances in data science and human-machine interaction from other industries and leverage them for security. As a quantitative social scientist, it was truly mind-boggling to see just how nascent data science and user experience are in the security industry. The future of the security workplace should obviously maintain subject matter experts, but must also pair them with the data scientists who truly understand the realm of the possible, as well as UI/UX experts who can take the enormous complexity of the security data environment and render it useful to the vast user community. It’s ironic that such a technology-driven industry as security completely discounts its roots in Ada Lovelace’s vision of bringing together arts and sciences, machines and humans. Maintaining the status quo—which in the security industry is 0 for 3 in McAfee’s categories for innovation—should not be an option. There is simply too much at stake for corporate and national security. Technical innovation must be coupled with organizational innovation to truly leverage the insights of geeks, machines and outsiders in security.