Presented by Kenna Security
For the past four decades, technologists have watched silently as Moore’s Law — which says that computing power basically doubles every 18 months — has been proven true again and again.
But there’s no Moore’s Law for workforce development. And there’s no Moore’s Law for the human brain.
The absence of Moore’s Law is felt acutely in cybersecurity, where the scale of challenges at major enterprises is so large that it is literally impossible to train enough people to ever tackle the problem (at least not in the way it’s being now.)
What if it were possible to up-level our thinking about cybersecurity? To work smarter, instead of placing long shot bets on the ability to hire enough people.
In industry after industry, we’re seeing the power of data reshape how people tackle problems that many people have thought were insurmountable. Cybersecurity is no different.
Understand, measure, act
Cybersecurity generates mountains of data. The power of data boils down to the idea of risk: how to understand it, measure it, and act upon it.
For too long, however, cybersecurity teams have had trouble with all three parts of the equation.
To see what that means, consider where many enterprises are now. The typical large enterprise owns tens of thousands of assets, which themselves host millions of vulnerabilities — each a potential vector of intrusion.
Many large enterprises tally their vulnerabilities on spreadsheets. Because there are millions of vulnerabilities and spreadsheets only have so much room, it is not unusual to find organizations monitoring their vulnerabilities on more than a dozen full Excel spreadsheets. They never have enough staff to fix every vulnerability, so they have to make decisions about which one to patch. They are guided by gut instinct and internal politics. Sometimes the team looks at a patch, and opts not to use it simply because it could cause trouble somewhere else on a network. And, when it comes time to inform an inquisitive executive about their efforts, they often refer back to the spreadsheet for a series of static datapoints describing how many vulnerabilities they patched and the number of remaining vulnerabilities.
The ability to count vulnerabilities on a spreadsheet, however, does not demonstrate an understanding of risk, because vulnerabilities are not equally risky. In fact, just five percent of vulnerabilities are exploitable. When organizations build their vulnerability management programs around a count of existing threats, they don’t really have an objective means of measuring the effect of that effort.
In essence, a traditional organization has built its understanding of vulnerability risk on a poor platform, hampering efforts to measure and act upon it.
Data scientists look through a different lens in terms of evaluating risk. They don’t simply count vulnerabilities. Rather, they look at other data to understand the context in which they exist, and they observe the factors that contribute to overall risk. This approach can help cybersecurity teams prioritize vulnerabilities that matter.
We’re seeing data scientists have a similar impact in just about any industry in which they apply a brand of thinking that seeks to generate insights from objective information. In retail, data scientists help motivate customers to visit a store, or make one or two additional purposes. In finance, data science has been deployed to fine-tune creditworthiness decisions, among other things. In healthcare, data scientists are working through thorny challenges that come with the complexities of the human body’s incredible number of variables.
These solutions are only scratching the surface. The data scientists involved in these industries are not doctors, finance wizards, or retail marketing specialists. And yet, the tools and techniques applicable to one industry are useful to others. They save time, optimize efforts, and yes, making sure that teams work smarter.
At the end of the day, compute and algorithms processing mountains of data is far more efficacious than trying desperately to hire cybersecurity professionals when there simply aren’t enough of them to go around.
Karim Toubba is CEO at Kenna Security.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact firstname.lastname@example.org.