Page 107 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 107

Instead, wouldn’t it be ideal to be able to tie the impact of phishing simulations to reduced blocked actions
            by the web content filters? This would demonstrate the value of the phishing simulations. If I had the
            appropriate  mathematical  models,  I  could  look,  for  example,  at  attack  paths  and  determine  which
            vulnerabilities in an attack path are worth mitigating and which aren’t.


            This is just one example of the application of data science to cybersecurity. In the ideal world, all aspects
            of a cybersecurity program can be modeled. For example, if you want to determine the best use of your
            budget, you should be able to put it through a system that optimizes a given budget. If you want to
            increase your budget, you can model the impact of the resources you want to add to the program and
            then calculate the return on investment. This would serve to justify your requests.

            Likewise in times of budget cuts, when asked to cut your budget by a given amount, you can document
            the increased risk the company will incur with the budget cuts.

            At the moment, when most CISOs are asked what they would do with a budget increase or decrease,
            they would reply to the best of their abilities, but they would not be able to accurately model the impact.
            Again, a CISO is usually hired for their proven ability to manage a program.


            While this may all sound like science fiction, the reality is that the mathematics are available. I have
            criticized the broad use of the term AI. It is too vague to apply, and at its root, AI is essentially just
            mathematical algorithms, most of which have been around for decades. It is just now becoming more
            widely available, as AI algorithms require extensive processing capabilities that use big data sets. The
            processing power has become available, and we now have the required large data sets and ability to
            query and process it.

            In cybersecurity, we have collected lots of data over the last few decades and it is available to CISOs to
            begin processing. There are now tools available, such as the CYE Hyver platform, that takes in data
            available to a cybersecurity, supplements it with proprietary and publicly available data, and applies a
            proven set of data models against the data to support decision making. Even if a CISO doesn’t want to
            acquire tools that can simplify the process, they can create a data science team that examines the more
            pressing questions a CISO has to answer. The resulting models may or may not be better than the
            commercially available tools, but they can be tailored to specific needs.

            The gut instincts of an experienced CISO produce defensible results; however, they might not be the
            best results. More importantly, gut instincts do not create defensible dollar values that a CISO can use to
            justify and rationalize their requests and defenses. Whether you choose to acquire commercial tools
            and/or implement your own data science program, it is critical you start. Again, you can be a true artist
            as a CISO, but you will be a better CISO when you become a scientist.















                                                                                                            107
   102   103   104   105   106   107   108   109   110   111   112