Contrast the RSA Conference’s theme of the Human Element and the vendors’ theme of AI/ML appliances. This debate between intelligence augmentation and artificial intelligence has a long history, going all the way back to Douglas Engelbart versus Marvin Minsky. Let’s look at the history and look at the use cases for AI/ML in today’s security operations.
The staring red camera and chillingly calm voice of HAL 9000 inspired and unnerved a generation of IT people. It’s well known that Arthur C. Clarke drew inspiration from IBM to name HAL. But where did the 9000 come from? This traces back to the first Italian mainframe: the Elea 9000. Look at photos of the Elea 9000 and the HAL 9000 in Discovery One, and you will see some visual similarities too. The Elea 9000 had a certain beauty, owed in part to Ettore Sottsass.
Ettore Sottsass was a design consultant for Elea 9003 in the 1950s. In the 1960s, Sottsass would design the iconic Valentine typewriter. From the heights of technology, Sottsass turned his talent to furniture. Chairs. If you’re thinking that’s an odd choice, you’re not alone. Many asked him about this shift. “A chair must be really important as an object, because my mother always told me to offer my chair to a lady,” Sottsass reportedly said. And so he focused on chairs.
There is a lesson here for security. A fundamental is evaluating the value of an asset to determine what is at risk. Of the ways to determine this, the most common are what the asset generates for the organization and what it would cost the organization to replace it. Both measured in dollars. That’s great for computers and typewriters, but what about chairs? Put a different way, quantitative approaches overlook the significance people put on our tools. Securing by what we can measure in dollars leads to decisions which are blind to the human factors.
“I’m sorry, Dave. I’m afraid I can’t do that.” I get chills every time I hear that line. There’s something cold about mechanically making decisions based purely on numbers. When introducing human-centric design to our security programs, we must consider all the ways people determine value. Remember the subjective. Remember the chairs.
This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.
Security leaders have a bold vision. Leaders have a grand strategy. Leaders excite and engage people to get things done. Along the way, leaders make decisions.
This blog series is about making better decisions. IT security is a new discipline. But creativity and ingenuity are as old as humanity. Week by week, we’ll look to artisans, to architects, and to designers. We’ll uncover principles we can apply to lead and to design security capabilities.