In this week’s episode, Peter Coroneos returns to the show in order to take the BS out of cyber and help us focus on what’s most important.
There’s so much noise around cyber – and it seems that not a day goes by where someone, somewhere adds to it. This week, Peter Coroneos, International VP of the Cybersecurity Advisors Network (CyAN), jumps back into the hot seat to take the BS out of cyber.
There’s a comparison about the cybersecurity industry being almost like the Dutch tulip bubble. Is cyber going to crash and leave only the best players behind?
Well, it kind of feels like it. You could say the same about crypto as well. We’re seeing a few things proliferating in tandem. And, of course, the Dutch tulip bubble was the first historical precedent we had for this, and we often referred to it during the dot-com boom. We wondered whether it was just another Dutch tulip speculative play where exuberance had taken over, rationality was in the back seat, and things were getting funded left, right and centre, irrespective of their business model or their profit plan. And of course, we did see that.
Unfortunately, there were a lot of good ideas that emerged during the heady days of 2000, when the dot-com boom really hit its stride. The shame was in the lack of discipline in the market, a lack of rigour in the way things were being invested, and also the unrealistic payback periods that the investors were looking for. That caused a lot of good ideas to falter. It kind of feels like the destruction of the Library of Alexandria. Historically, when human knowledge is lost, we all suffer.
That was one of the lessons for me during the dot-com crash. It was, in a way, a kind of relief because there was a lot of bad stuff out there that was just never going to add value to any kind of human problem. But there were also a lot of gems that we lost.
So for today, how do we get good products to market in a way that they can sufficiently stand above the rest? Also, how do we get the buyers, the CISOs in particular, who are so overwhelmed by the noise to the point where it’s affecting their own mental health? What can we do to bring them an easier life, where the decision-making is a little more rational?
Cisco gave a presentation a couple of years ago where they said that the average mid-to large-sized organisation can have up to 60 different cybersecurity products in the ecosystem. And then, of course, the more products you add, the more complexity you add – they don’t always talk nicely to each other. So there’s a whole lot of issues that arise simply through the proliferation of solutions out there. CISOs are trying to manage so many areas of risk, some of which aren’t particularly human risks. So you need to have a broad spectrum of this layered-defence approach. But at what point do you say enough is enough?
Can you talk about the applications of AI and removing humans from some of the conversations, particularly around generalised AI?
There’s no generalised AI yet, although it’s been promised for decades. I presume with enough computing power and enough people researching it over time, we will eventually get to some approximation of generalised artificial intelligence, but definitely we’re getting much better at building intelligence into products and services. That’s already happening.
It’s one of the hot areas of innovation, isn’t it? The whole automation piece. So I think we should expect that evolution to continue. With machine-learning systems and particularly self-learning systems, you would obviously expect that trajectory to accelerate as well. It’s foreseeable that within the next 10 years, you will have fairly capable intelligent systems that will supplement, if not replace, a lot of human processes.
For us in cybersecurity, that’s probably the great hope. I’ve been thinking about this a lot over the years. What can we do to make humans take a more conscious approach to the use of technology and the decisions they make? Even phishing emails are a classic and still very current example, but the bad guys are getting so much better at exploitation.
A couple of years ago, we reached the tipping point where the average technology user is now probably unable to distinguish between a benign communication and a malicious one. We’ve already lost that battle. The question now is: do we use machines to take up the slack, or do we have to somehow modify humans?
What is specifically driving the cybersecurity industry, in your opinion?
It’s tempting to say fear and greed. If you’re an investor, then no matter what you choose to invest in – whether it’s pork bellies or concentrated orange juice or cybersecurity – it’s really the perception of the growth and the return you’re going to get against the risk of the investment. The dynamic is fairly constant.
But I’m far more interested in the people within our industry who are trying to think through better approaches. So in terms of the innovators themselves, I honestly still see a very strong ethic around making the world a better place. I see it very strongly, even within our CyAN membership.
This kind of echoes what a culture anthropologist was saying, as part of their analysis. I said to them, “Well, why do these people stay in the technology industry if they’re so miserable, if it’s so difficult?” And they said, “Because they all have one thing in common: they all absolutely believe that the thing they are working on is genuinely going to help humanity.”
There’s some really interesting research that’s come out of one of the main US universities on attracting talent in the Fourth Industrial Revolution – because we’re talking Gen Z here, where the classic loyalties generally don’t apply and there’s a lot more mobility with skills. The research found that if you want to attract the best people into your sector or your company, you’ve got to provide three things.
One is the capacity to master whatever it is they’re working on; a degree of mastery over the subject matter so they can get really good at something. Second is to be part of a team environment where there is stimulation and other people who can fuel that innovative juice; they need to feel they are working as a collective towards a common goal. Third, they need to have some higher purpose to what they are doing – beyond just money and professional success. They have to actually believe that what they are working on is objectively good for humanity.
The reason for that is that we all need a purpose here on Earth, other than just retiring to a vegetable garden. For these younger people who are coming through – the best and brightest, as it were – they want some social dimension to what they’re doing. They want some sense that this is actually improving the human condition.
So in terms of getting rid of the BS, maybe we can come back to a values discussion about what it is that we stand for as a company, as a sector. Not just words. How do we demonstrate that in an authentic way? Maybe there is some capacity to break through the noise to our actions in supporting the humans, that are both our market and also our collaborators.
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.