Winning Defense

Allison Miller didn’t start as a cybersecurity expert. The product manager for privacy and security at Google originally studied business and economics, before working in ecommerce and finance. When she takes the stage to keynote at SecTor 2017 this month, she’ll be drawing on her expertise in those fields to talk about how cybersecurity can redefine success.

One of the biggest challenges for cybersecurity professionals today is knowing what winning looks like, she says.

“What’s really challenging is that there isn’t a definition of success out there yet. There are simply people out there who are failing or who are trying not to fail,” Miller explains. In other industries, experts get to define success criteria and meet their goals. In cybersecurity, experts consider themselves successful if they end the day without falling behind the curve and letting an intruder in. “It’s not entirely satisfying.”

The other major challenge for cybersecurity experts is that unlike those managing risk in other industries, they’re dealing with active adversaries, she says. It isn’t just the free market they’re trying to beat.

So, if we were to start over and define the success criteria for the cybersecurity industry beyond “don’t let the bad guys in,” what would it look like?

Predictably enough, one idea of Miller’s comes from her background in economics and finance. Both discplines share the concept of poverty, she points out.

We understand financial poverty well enough, and whole government programs are dedicated to fighting it. Cybersecurity’s poverty line is more subtle. Miller cites the work on cybersecurity poverty by Andy Ellis and Wendy Nather, which suggests that many businesses simply don’t have the resources to cover their basic cybersecurity needs, leaving them exposed. The implication is that the same applies to individuals, too.

“We have created a world where we think we have to spend a certain amount of money before we can expect security,” she says. “If we lowered that minimum bar of resources required — the ‘security poverty line’ so that more than the top 10-20% of enterprises are above it, I think that would be something that an entire industry could feel good about. That would be a fantastic success criteria.”

How do we help companies and individuals get there? This is part of the work that she does at Google, primarily with the safe browsing and account security teams. If someone can visit a web page and feel reasonably confident that it has already been evaluated from a security perspective, then that’s a way to give more cybersecurity to someone who may not otherwise have the time, education or technology tools to achieve it. The same goes for warnings about account compromise.

The other way that cybersecurity can tweak its success criteria is by refining its approach to risk management, she says, adding that finance also has something to teach the cybersecurity industry here.

“There are whole sections of finance dedicated to hedging strategies and figuring out how to manage variance from projections,” she says. “I hope that as practitioners, we can figure out how to adopt different metrics and success criteria where we can really evaluate our effectiveness.”

As cybersecurity becomes more mature in its approach to risk management, Miller sees automation playing a key part. What cybersecurity vendors love to call AI or machine learning is simply called statistics in the financial fraud management space, she points out. Financial institutions have been using this for years.

“To me it’s not romantic at all, but it is especially useful in systems that need to take a lot of facts into consideration and render an accurate decision,” she says. “Is this email coming into my inbox spam? Is this thing attempted by my credit card me? You couldn’t do it manually. You can’t make the decisions fast enough.”

Before cybersecurity practitioners can refine their approach to risk management, we have to learn how to describe it scientifically, she says. Understanding risk variance and its effect on financial losses, for example, is something that the financial world is very good at. By drawing on these disciplines, and then moving gradually into a world of automated risk analysis, cybersecurity pros can feel as though they’re getting ahead, rather than running to stand still.

Miller will be keynoting on this topic at the SecTor cybersecurity conference in Toronto next week. To see her speak, register here.