If you have been following this column, you have probably recognized some recurring themes, one of those themes being that for everyone, especially IT personnel, continuing education is never finished.
Reactive
As adversaries continually discover and exploit security vulnerabilities in hardware and software, we as a community must learn about the technology that has been compromised and implement mitigation techniques, patches and any other form of risk reduction to attempt to thwart that attack. This approach is reactionary in nature and, so far, has not been working very well.
The number of data breaches and cybersecurity vulnerabilities continues to go up despite advances in preventive technologies.1 The ISACA® State of Cybersecurity 2020 report found that not only are attacks increasing, but they are woefully underreported to authorities.2 It is important to explore some possible root causes for this and the technology that can help.
Limited Memory
Another recurring theme from “The Bleeding Edge” is the age and lack of understanding of underlying information technology. The microprocessors we use today in most devices are still based on architecture from the 1970s. Likewise, the communications infrastructure and models that we use are from another time altogether. The Transmission Control Protocol (TCP)/Internet Protocol (IP) model will celebrate its 47th birthday this year.3 While there have been improvements and great innovation within these technologies, they remain, ultimately, unsecured and vulnerable.
As practitioners, we not only have to continually learn new technology and stacks of technologies, but also remember the foundational technology that enables innovation. In this remembrance, it is imperative to keep underlying security considerations in mind.
Theory of Mind
We know from different studies that everyone has different preferred learning styles and techniques that work for them. However, as advancements in psychology and understanding the human brain continue, it is becoming more evident that multimodal learning can help students learn subjects with increased comprehension.4 Utilizing emerging technologies to provide this type of training could be the key to ensuring that the members of our enterprises and workplaces truly understand cybersecurity and their roles therein.
AS PRACTITIONERS, WE NOT ONLY HAVE TO CONTINUALLY LEARN NEW TECHNOLOGY AND STACKS OF TECHNOLOGIES, BUT ALSO REMEMBER THE FOUNDATIONAL TECHNOLOGY THAT ENABLES INNOVATION.
The ability to conduct hands-on training from any geolocation in the world has been catalyzed by the global pandemic. We saw great strides in the use of artificial reality (AR)/virtual reality (VR) technologies for training purposes and I expect to see this trend continue.5 Likewise, AI and machine learning algorithms are helping students and trainees learn more efficiently with adaptive learning techniques, and even biometric devices to measure a person’s concentration levels during the learning process have been implemented.6 Embracing these newer technologies can not only help us learn and refresh on subjects, but can also help train others and bring better awareness to cybersecurity best practices.
WHILE AI WOULD USUALLY LEARN FROM US (OR DATA DERIVED FROM OUR BEHAVIORS), WE HAVE ALREADY DISCOVERED THAT IT CAN TEACH US JUST AS MUCH AS WE CAN TEACH IT.
Self-Awareness
There are four main types of AI categories (currently): reactive, limited memory, theory of mind and self-awareness. While AI would usually learn from us (or data derived from our behaviors), we have already discovered that it can teach us just as much as we can teach it. I certainly took some artistic liberties with the true meanings behind the different types of AI, but the lesson here is that we are continually learning from advancements in technology.
In a previous column,7 I compared AI discoveries to something that looks at our behaviors and amplifies the more prominent features, thus showing us some things that we may not have known about ourselves as a society. Cybersecurity is not all 1s and 0s—part of it is a human behavioral problem that we are trying to solve, so why not utilize every technology at our disposal?
Endnotes
1 National Vulnerability Database, “CVSS Severity
Distribution Over Time,” National Institute of
Standards and Technology, USA,
https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time
2 ISACA®, State of Cybersecurity 2020, USA,
2020, https://www.isaca.org/go/state-of-cybersecurity-2020
3 Cerf, V.; Y. Dalal; C. Sunshine; Specification of
Internet Transmission Control Program,
December 1974, https://tools.ietf.org/html/rfc675
4 Litonjua, E.; “What Is Multimodal Learning?”
eLearning Industry, 16 December 2020,
https://elearningindustry.com/what-is-multimodal-learning
5 Higginbottom, J.; “Virtual Reality Is Booming in
the Workplace Amid the Pandemic. Here’s Why,”
CNBC, 4 July 2020, https://www.cnbc.com/2020/07/04/virtual-reality-usage-booms-in-the-workplace-amid-the-pandemic.html
6 Open Data Science, “Machine Learning for
Education: Benefits and Obstacles to Consider
in 2020,” Medium, 24 December 2019,
https://medium.com/@ODSC/machine-learning-for-education-benefits-and-obstacles-to-consider-in-2020-4e8008dbd732
7 Brewer, D.: “Intelligence—A Not-So-Mediocre
Commodity,” ISACA® Journal, vol. 1, 2021,
https://www.isaca.org/archives
Dustin Brewer, CISM, CSX-P, CDPSE, CEH
Is ISACA’s senior director emerging technology and innovation, a role in which he explores and produces content for the ISACA® community on the utilization benefits and possible threats to current infrastructure posed by emerging technologies. He has 17 years of experience in the IT field, beginning with networks, programming and hardware specialization. He excelled in cybersecurity while serving in the US military and, later, as an independent contractor and lead developer for defense contract agencies, he specialized in computer networking security, penetration testing, and training for various US Department of Defense (DoD) and commercial entities. Brewer can be reached at futures@isaca.org.