4 Key strategies for leveraging AI against cyber threats
Discover four critical ways that AI can be integrated into cybersecurity operations to improve threat detection, enhance threat intelligence, and speed up recovery after an attack.
Read MoreRichard Rushing (CISO at Motorola Mobility) came to #BHMEA22 and reminded us to be mindful about how much we rely on metrics – and more importantly, how we communicate metrics (and their value) to people who don’t care about them as much as we do.
He cited a Gartner study which revealed only 12% of metrics delivered to organisations are actually used in decision-making processes. Because the people making decisions often don’t understand the metrics well enough to care about them. They’re not useful. They’re not updated regularly enough. They are often, in effect, a waste of time.
But the people delivering those metrics know they can be useful. They wouldn’t be a waste of time if everyone knew what they meant and how to use them. So how can cybersecurity teams make that happen? How can you deliver metrics about an organisation’s security in a way that means those metrics will actually influence decisions?
Most people are not wired to be captivated by cybersecurity metrics. But human beings are hardwired to care about stories. Studies including this one (published in the peer-reviewed neuroscience journal, Cerebrum) have found that compelling narratives trigger the release of hormones including oxytocin – which has the power “to affect our attitudes, beliefs, and behaviours,” and can motivate us to engage in cooperative action.
Story researcher Kendall Haven identified a general story structure that is particularly effective at engaging attention and increasing understanding. And cybersecurity teams can use this to shape their communications strategies – providing information to organisations in a way they’ll really connect with.
The structure goes something like this:
Rushing quoted Ted Schlein, who said:
“There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.”
And, Rushing added, “in this day and age that’s really true.”
But ensuring that more companies do know when they’ve been breached requires a more coherent approach to security – and it starts with understanding risk.
“Risk has to start at the top,” Rushing said. Executives need to determine what kind of risks they need to fix, and where those risks might be. And they also need to identify their own risk tolerance: what kind of risks are accepted, and which risks have such serious implications that they are not accepted within the organisation?
“You need to have a tolerance, and it needs to be standardised. If it’s not standardised, you’re making ad-hoc decisions,” because you don’t have a clear framework for positioning different risks within your security strategy.
“Anything that’s outside the risk tolerance is unexpected. You already defined what your risk tolerance is — if it’s outside this, it shouldn’t be there.”
And with that determination of risk tolerance, you then have to recognise that it takes talented people to secure an organisation – and not all of that talent is in your cybersecurity team. This means that you have to communicate risk effectively across your organisation – so that everyone can get on board and contribute to the overall security posture.
So you need to make a story: “Risk is about how to figure out the plot of your story.”
Story is the exciting, engaging way to communicate risk. If you say ‘we need to replace some servers on the other side of the world because they’re not patched,’ no one cares. If you say ‘bad guys are going to get in through those servers and shut us down,’ they start to care.
Every organisation has a different story. So use your understanding of risk to work out how to tell it. The high level risks that everyone in an organisation can connect to are:
And your risk acceptance curve, Rushing said, is your story arc: all risks fall somewhere on the curve, whether they’re not that serious (so you accept them) or very serious (so you don’t tolerate them). Your strategies for addressing risks are the way you bring resolution into your story – and you can weave your metrics into those strategies so that everyone in the organisation can understand how metrics will help them achieve the story outcome they want.
Use metrics to give the story a happy ending. Because if you do that, your organisation will understand how to apply those metrics to decision-making and operations.
Join the newsletter to receive the latest updates in your inbox.
Discover four critical ways that AI can be integrated into cybersecurity operations to improve threat detection, enhance threat intelligence, and speed up recovery after an attack.
Read MoreWe explore four kinds of AI threats that are putting societies at risk: social engineering attacks, deepfakes, automated malware, and weaponized AI systems.
Read MoreNew research reveals that cybersecurity has become an afterthought for many manufacturing and transportation organisations as they rush to embrace new technologies and fresh opportunities.
Read More