Man vs. Machine: Investing Your Security BudgetBy Guest Author | Posted 2017-06-01 Email Print
Companies mulling their cyber-security spend should put less weight on employee education and more on advanced solutions—including artificial intelligence.
By Rick Grinnell
The typical enterprise chief information security officer (CISO), who usually has a finite budget, is often confounded with the challenge of balancing spending on technology with spending on training and process.
In conversation after conversation in my business, I hear these questions: “After spending a fortune on security products for my company, why am I still seeing so many incidents? Should I have bought better security products from a different vendor? Or would I be better off spending the money on better employee training and processes?”
It's easy to conclude that a new approach should be adopted, simply because the last generation of deployed defenses didn’t stop the most recent attack or data breach. And some experts suggest that better processes will outperform better products, claiming that more intensive employee training, better incident response, more thorough code reviews, etc., are more likely to close the security gap than new defensive solutions.
Certainly, human behavior could be dramatically improved. Recent reports assert that human error or unintentional human behavior account for a large percent of data breaches. Consider the breach of the Democratic National Committee’s communications during the 2016 elections, which was the result of a typo in a staff email.
Human nature being what it is, even the best-intentioned attempts to improve employee behavior will fall short. Think about it: We all know that the way to lose weight is to avoid overeating and to exercise. Yet how many people do this? There are a number of activities that we are told to avoid in order to stay healthy, and yet we ignore this advice.
Thus, it is my strong belief that education may be compelling, but some employees will simply ignore the guidelines and processes. Mistakes and errors will always happen—as will the truly malicious attacks that no amount of training or process can stop.
That’s why forward-thinking companies mulling their 2017 and 2018 cyber-security spend should put less weight on employee education and more on advanced solutions—including advanced artificial intelligence (AI) technologies—that can make up for the human oversights and errors that can cause breaches in the first place. Ideally, you should have both employee security training and AI-based security in place. But if you have to choose just one, I would go with the latter.
How Artificial Intelligence Technologies Can Help
Let’s assume that 99 percent of your employees are intelligent, rule-following people who understand how important security is. These are the employees who know that when they receive an email asking for their password, they should contact IT before clicking on a link, even if the email looks legitimate.