Reflections from some of 2019's largest cybersecurity events
By Richard Seiersen: Risk Management Author, Serial CISO, CEO Soluble
Boredom always precedes a period of great creativity. -- Robert M. Pirsig
Security At A Turning Point
Try this the next time you’re at a security conference. Look, listen and note the vibe of the crowd. Are they hopeful and energized? Or are they forlorn and disinterested? Go to the keynotes, hit the vendor floor and attend talks. You want to listen for what matters to the practitioners - be it positive or negative. Surface talk may be about passing technology fads, but if you listen hard you will soon get to the important stuff - the unsolved problems and emerging opportunities lurking just below the surface.
I recently attended RSA, SIRACon, Gartner Security and Risk Summit, AWS re:inforce and Black Hat all within a short span. At Gartner and Black Hat I had the opportunity to do book signings. It allowed me to do a lot of listening, 200+ peoples worth. That’s when I notice that a new crowd was starting to take interest in risk - hardened security practitioners!
Most telling was a security team from the leading “Transportation Networking Company”. They represent the bleeding edge of security and technology in the Bay Area. A whole gaggle of them got books signed and photos taken with yours truly (what nerds!). Apparently a large chunk of the home team is reading up on quant risk! I also found out that the leading “online marketplace and hospitality service brokerage company” is also getting their quant on.
The point is, companies and practitioners in all shapes and sizes from cloud native to legacy are starting to consider quantitative risk management aka next generation risk management. In particular, are those companies who are driving huge chunks of risk surface through the intersection of cloud services, mobile, globalization and etc. Their interest in better risk management makes so much sense! This is why I believe we as an industry at a turning point on risk.
The rest of this small essay is a bit of a forecast on where I see all of this quant risk stuff going. I could be wrong, but I hope I am right - at least in part.
Risk Surface Is The Driver
One of the reasons people like security is due to its mystery and surprise. First, we have bad guys. They are hard to see, block and catch. And they range from more sentient to artificially intelligent in deploy.
And then there are their targets. That’s the stuff we protect. It’s mysterious too. And it’s getting more so due to digital transformation and it's by product Risk Surface. The latter topic is what brought me to Gartner this year. Risk surface acknowledges our growing digital uncertainty. The stuff we protect is literally “getting out of hand.” Long gone are the days where my assets, data and people are exclusively “mine” and under my control.
How do we guide security when what we protect is an intangible object wrapped in an enigma i.e. an expansive risk surface? This is where NextGen Risk Management comes in. It’s what we use when we are confronted with “irreducible uncertainty” i.e. when we have gaps in our data yet we still need to take action. Handling this uncertainty in an unambiguous and consistent way is what practitioners want. And it’s how we will confront the realities of an exploding digital risk surface.
Steps Toward NextGen Risk Management
It seems to me that the first and most important step into NextGen Risk Management is point of view. Point of view is what guides our acquisition of skills and our ability to perceive opportunities. We talked about POV in our first book so I will only touch on it lightly here.
Our methods of measuring risk should “retain our uncertainty without obscuring our certainty.” Some risk management methods are prone to taking the evidence of risk and obscuring it. How does this happen? By using words like “high, medium, low” or “1-5.” That process, if not backed by empirical data, inflames ambiguity when it comes to decision making. And risk is about decision making for practitioners and their machines. Suffice it to say, these approaches drain the information away from the objects of our measurement.
The reason why these methods persist is simply due to a lack of familiarity with the methods of measurement. This is easily solved and as stated, it seems that the security practitioners are already leaning in on the quantitative arts. And again, it's materially driven for them by expansive risk surface. And good news for all, you don’t need to become a data scientist to get started on your new risk journey. If you have a seventh grade math education you can do 99% of what’s necessary. This is largely due to the fact that computers are really good at math.
This then takes us to the innovation and opportunity gap. From what I can see, many of the risk tools in the security market are projections of the aforementioned “point of view” problem. As a practitioner, I would be looking for solutions that do a great job of amassing empirical data. And yes, sometimes we don’t have as much data as we want. In those cases there are quasi subjective methods we can use. But, when we use those methods we have to retain our uncertainty. I.e we have to be honest about what we don’t know! So, start with the vendors with the countable data. And build skills for measuring our uncertainty that retain our certainty. But don’t stop there - you are on the edge of big fun!
The Heart Of Next Generation Risk Management
I will make this short, because I will be going into depth on this in future articles and my next book. I think the next generation of practitioners and innovators need to develop a skill called “Probabilistic Programming.” Did you heart just sink at the mere mention of programming or probability? I have a cure for that! Does the mere mention of using a hammer make your heart sink because you are not a licensed carpenter? Of course not! I hereby free you to use typing on a computer to make it do things without having to identify as a computer scientist nor a data scientist!
But note, I did say “next generation.” That is a generation that identifies as risk modelers. And they see modeling first and foremost as a design process. And the first step is problem definition. And having defined your problem you then move into getting data, choosing algorithms and such. But over half of the effort is defining the problem. The other large part of modeling is data. That is where the data driven vendors mentioned above come in. You need vendors who are really great with data and have APIs that support modelers. (again, like RiskRecon)
My forecast - over the coming years we will see the demand for quantitative risk management emerge in a big way. This is largely driven by a massive explosion in digital risk surface. And we are already seeing the data side of the equation emerging in the vendor space. But what will really make this shift happen in its entirety is the practitioners. They are the ones that will create the spark that further revolutionizes our industry into NextGen Risk Management.
It requires practitioners starting to see themselves as risk modelers. And that requires building out a few new skills - what some of us are calling “probabilistic programming.” That skill must be married to data, ideally loads of risk surface oriented data. And my prediction is that the vendors, the innovators, that can help make all of that easier for the practitioners will be big winners.