Stop chasing after the magic security box, look at the people
In this heartfelt and emotional talk, Chani shares the reasons why we need to be human centric when designing artificial intelligence- enabled cybersecurity, where emotional intelligence and human values must be a primary consideration.
Hope for the best and prepare for the worst.
Wars have many different forms, civil, liberation and now cyber wars. I am no stranger to it. I grew up during the 80’s in Sri Lanka, where we faced a civil and a liberation war. It was probably some of the darkest times that Sri Lanka went through.
Several members of my family were killed and as a kid I didn’t really understand much about wars and who fought for what and why. But I do remember the fear, pain, sadness and anxiety very well. Constantly fearing for my parents’ safety and not knowing if they were going to come back home alive or in a coffin.
I have seen critical infrastructure destruction– a hydro power station was set on fire just a few yards from where we used to live and one time a car bomb went off near our house that knocked the front door flat on the ground and glass all over the place from the shattered windows.
Our pet dog died because the vets were threatened not to open their clinics. My poor puppy died in the back of our car. We couldn’t bring ourselves to think of having another pet for a long time after that.
When we travelled to school some days, we were asked to close our eyes because there were bodies floating in the river or burning in tyres by the side of the road, most of them young people. We would later find out that we even knew some of them. By the way, we didn’t live in the war zone, we lived in the city at the time.
The fear and disturbances were all over the country. It affected us all regardless of our race, religion, age or gender. This is just my story out of millions of other people that had to suffer the consequences of someone else’s war that we had no control of. That’s a hopeless situation be in. We had to constantly lookout for ourselves and take precautions to be safe. You hope for the best and prepare for the worst.
As a teenager, riding to high school, I passed this huge IBM billboard every day, displaying an advert of a lady working on her laptop. This might sound strange to you but this image inspired me to want to work in IT. The very first moment I laid my hands on a computer, I felt it would be the most powerful tool in the world for me.
Yes women can do security!
I enrolled in a computer science degree in the UK which taught me my 1’s and 0's, which I must say were not the most stimulating educational days of my life. But I persevered and managed to finally get that job at IBM. This further led me to specialise in security. I’m still teaching myself to be the best hacker that I can be, but it’s not easy and it’s nothing like what you see on TV. There’s no way I can type crazy fast while looking at 10 screens and navigating through fancy 3D graphics. Oh, and I’m definitely not the hoodie wearing type, because I love fashion! That’s for Hollywood!
I was told that security is not for women and I should stay at home to make babies. But here I am, not only talking about security, but doing it and loving it while running my own award-winning security company. Yes women can do security!
A hard lesson for me to learn when I moved to the UK, was that I found out, here I was a coloured female with an accent. What we call “the minority” especially in the IT industry. Looking back, I think it was maybe one of the best things that happened to me.
When people treated me like I don’t belong, I learnt to integrate.
When people bullied me, I taught myself not to be like them.
When people gave me excuses, I decided I would take responsibility for my actions.
When people judged me based on their assumptions, I trained myself to ask questions and make decisions based on facts.
I realised that no matter how educated you are, we can still do really stupid things if we are not emotionally intelligent. When things go bad, if we don’t have the emotional resilience, it can mentally break us. I believe cybersecurity professionals are no different to doctors and soldiers. Every one of us in the security industry are fighting their own battles to keep people and their data safe from cyber crime and cyber warfare. If we don’t have hackers or cybersecurity professionals, we won’t find the weaknesses cyber criminals exploit to cause harm. We will never find who is plotting a cyber-attack against us and we will never know how to protect and defend ourselves in cyberspace.
What separates a hacker from a criminal is having solid values and ethics, combined with emotional intelligence. The same as a doctor deciding to harm you or treat you. Same as a soldier deciding to kill you or defend you.
In the past, nations were dealing with kinetic wars where they knew exactly who they were at war with, because it’s often declared. They knew their geographical boundaries; what military personnel and weapons they needed and understood the possible impact and damages it could wrought on their country. Today, most warfare is non-kinetic warfare, such as in cyber-attacks where we don’t often see it as declared. It takes time to find out who is actually attacking, what weapons, tools and technology are being used. The predicted damage and impact is often massively underestimated until it is too late and the damage is already done. I think that World War III has maybe already begun, and it is affecting us already. It’s a matter of time until we end up suffering the consequences of someone else’s war if nothing changes soon.
The rapid advancement and diversity in technology has not only introduced good things to make our lives easier, but it has also introduced a complex and evolving threat landscape. By the time organisations have adapted and taken precautions, the threat landscape had already changed. It’s become a constant game of playing catch up, with cyber attacks becoming an ever more common occurrence.
Here are some interesting statistics:
· Cyber criminals attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
· 34% of data breaches involved internal actors. (Verizon)
· 61% of organisations have experienced an IoT security incident. (CSO Online)
· There were 100,000 groups in at least 150 countries and more than 400,000 machines that were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Technology Inquirer)
· 90% of remote code execution attacks are associated with crypto mining. (CSO Online)
You might think that you have nothing to hide or money to lose as a result of a data breach, but for criminals there is always some value. It could be as simple as hijacking a laptop and using it as slave node in their botnet or mining crypto currency using your computing power or hiding their child porn. It’s not about having nothing to lose it’s about protecting what you have and your way of life!
In the past IT often came in a box and people still have this false perception that privacy and security also come in a box, but does it? I wonder what this magic box is? Organisations are wasting millions trying to buy what they think is the next ‘magic security box technology’ and ignoring the “big elephant in the room”. It’s people! But people can be difficult and reporting on people stats maybe doesn’t sound so sexy in the boardroom. We all like finding the easy flashy fix. We have 7.7 billion people on our planet, and it’s estimated to pass 8 billion by 2023. So why are we still ignoring this?
I often hear these types of excuses during my audits:
· When I ask who does your security? It’s our IT team. Oh! No conflict of interest there then.
· When I ask how do you know your data is safe? Our data is in the cloud so it’s safe! So basically, you’ve outsourced your problem to someone else and hoping for the best.
· When I ask is your IT infrastructure secure? We use Apple so we are secure! I’m not even going to comment on that one.
· You had a security breach, what did you do? We fired the IT engineer! They made a mistake! Is that the culture we want to create in your organisation? Do you disown your child whenever they screw up? No! We teach them how to be better. We provide education and demonstrate to them good ethics and values.
Excuses, excuses … the list goes on and who are we kidding? There are two main elements in security that we should look at. The functionality and the assurance requirement. If you implement a security control, then you need to test it actually works as expected. Otherwise a false sense of security is a ticking bomb waiting to go off!
When I say you need to train your staff on security – I often hear, we don’t have budget! But they are quick to invest on flashy sexy tech, and reluctant to invest in people. Business leaders don’t realise that the effectiveness of such technology relies on their people and the process they create around tech.
How are we going to handle things when they go really bad?
Are we going to replace people with AI? Is AI ever going to be clever enough to make human decisions?
To make a mistake is human, but to really foul things up use an AI. Is that what we are going to say in future?
The world’s population is increasing, along with cyber threats and the Internet is the new wild west. How are we going keep ourselves safe? I don’t think the human element can be ignored any longer. It’s time to focus on empowering the human and making them the strongest link.
Today I’m not bothered by what people think of me. I care more about what I do and how I can make things better. I strive to improve myself, to be someone better.
Race does not matter to me, gender does not matter to me and neither does someone’s religion.
What matters to me is that we are all human beings and we treat each other with respect.
What matters to me is trust, integrity and commitment, my values.
What matters to me is, can I trust you and do you feel you can trust me?
This needs to start within and at home. If we can’t even change ourselves, how are we ever going to change the world to fight cyber crime.
Cybersecurity is everyone’s responsibility. That’s why I believe we need emotionally intelligent cybersecurity leaders. Are you one?