AI

If AI is the Answer, You’ve Asked ALL the Wrong Questions

For those reading this who are cybersecurity professionals (and who else would read this crap?); In your entire career, have you ever come out of the back-end of a risk assessment and said; “We need Artificial Intelligence.”

Anyone?

I seriously doubt it, unless you happen to sell artificial intelligence, or more likely, you’re trying to pass off your product as artificial intelligence.

But let me just clarify before I continue whining; AI is exciting as Hell, and I cannot WAIT to see what comes next. I am not in the ‘Skynet’ camp, and I even disagree with people a thousand times smarter than me. No, not my wife (this time), but the likes of Stephen Hawking, Bill Gates and Elon Musk, all of whom have issued their own warnings/predictions on the subject. I think AI is going to make our lives better in almost every way. Almost.

But not in cybersecurity at the organisation level. Not yet. Most businesses simply don’t have anywhere near the foundations in place to implement it appropriately, let alone effectively. Implementing any technology on top of broken processes and/or an indifferent security culture may only serve to make things worse.

I can see it in working the threat intelligence arena, where a behemoth like Alphabet – and their mind-boggling access to almost everything -, can fund something like Chronicle. But this is just one small part of a security program, feeding into the ages-old clichés of ‘defence in depth’ or ‘layered security’. AI is certainly not the panacea those with a vested interest would have you believe. Basically, if you don’t have the same access and deep pockets as Alphabet, you should be probably be focusing on the hundreds of other things you should have done long before now.

And even if there was an AI ‘appliance’ that you could just plug-and-play on your network, do you honestly think the bad guys won’t work out how to circumvent it with some AI tricks of their own? Regardless of the technology, the good guys always have to play by the rules and the bad guys will always do whatever it takes. This is not a fight we are EVER going to win, so stop trying. The only thing we can do, and the sole premise of my career, is to minimise the damage. Security folks are the definitive guys bringing a knife to a gunfight. But we will fight.

This is neither cynical, nor a cop-out, it’s reality, and spending money on a technology you’ll never understand, or maintain yourself, is not going to change that.

But none of this will stop organisations spending money on nonsense. On the one side you have product vendors, technology-centric consultants, hype in the press, and indifferent CEOs. On the other side, you have the ages-old security basics and a very limited number of stubborn practitioners. It’s not really that surprising that acronyms and the latest shiny-things get all the attention, just unfortunate.

In fact, it’s no different from ‘get rich quick schemes’ or ‘diet pills’, there are very few shortcuts to wealth and none to losing weight. Both involve getting off your lazy arse and doing something. So does security.

But most of all I simply can’t abide vendors who try to fit every single problem into the one thing they can do. From operationalising the whole of GDPR with ISO 27001, to solving every limitation of digital payments with biometrics, the attraction of the silver-bullet is just too much for some to resist. AI and machine learning are the latest purveyors in a long line of empty promises.

Perhaps I’m no better, all I can do is help you implement the basics. But I’ll guarantee what I’m selling is a damned sight cheaper and significantly more permanent! 🙂

[If you liked this article, please share! Want more like it, subscribe!]