MIRcon: What the Cosmos can Teach us about Security

A few people have asked me what central theme and message stayed with me after last week’s MIRcon. I would say that Dr. Neil deGrasse Tyson’s keynote resonated with me and matched the central theme I felt during the conference; allow me to explain.

During his keynote, Dr. Tyson spoke to us about science, and, specifically, the scientific method, allowing us to objectively overcome our natural human biases. In other words, science is about forming a hypothesis, testing that hypothesis through accurate measurement, and reaching an objective conclusion based on the observed data. Security is the same, or at least it should be.

In the security domain, we don’t always take advantage of and apply the rich foundations of knowledge and expertise that exist in other domains. Often these other domains are far more mature than our own. I can think of no better example of this than science. For hundreds of years, scientists have used an agreed upon, methodical approach to advance the state of science. We can learn a lot from this conceptually and apply it to the security domain.

At MIRcon, the presentations I saw and the discussions I was fortunate enough to take part in indicated to me that we have begun to approach the security domain far more scientifically. Gone are the days of emoting and guessing – the problems are far too complex, the data too diverse, and the attackers too sophisticated. As a profession, we have begun to demand a far more scientific approach to the security domain than was historically the case.

The atmosphere at MIRcon was invigorating. Security professionals have tired of unsupported hypotheses – we are ready for a more formal approach. Today’s challenges require a more scientific way of thinking. We need to explicitly identify and enumerate the challenges we are facing in the field, hypothesize the solutions to those challenges, test those solutions through accurate measurement, and reach objective conclusions about the merits of those solutions.

Recommendations, beliefs, and hypotheses are in no shortage in our field. But are they accurate, do they solve security problems, and do they address the challenges of the day? The answer to those questions needs to be evaluated scientifically, rather than debated in the absence of accurately measured data.

Security has evolved from a niche profession to a mainstream one. As such, our work must stand up to the same rigor we would apply to any other profession. Any other approach would simply be unscientific.