Many in the InfoSec community are currently making a major mistake by dismissing the ML/AI craze as hype. There are two main causes for this reaction.
There are a ton of InfoSec vendors who are claiming to have AI when they really don’t.
The InfoSec community loves to call bullshit on things. It’s like a sport or a religion.
The problem is that it’s detrimental to not just the InfoSec community, but to the customers it protects, when there’s a narrative of ‘that’s just hype’ being spread throughout the industry.
It makes people blind to what’s actually happening, which is extremely significant.
The argument for taking AI seriously
Let me start by saying there are two different claims here. The first is that AI is about to completely dominate the InfoSec world, and the second is that AI is massively impacting IT and business.
I believe the first to be an overstatement, and the latter to be true, obvious, and important.
It’s true that AI will start to creep into InfoSec, and that it’s already started. But this is likely to start in SOCs, with some basic analyst and incident response type work. It’s not going to have a massive impact on jobs in the sector in the next 1-5 years because the problems are not fully defined yet.
So I agree with the skeptics about AI and InfoSec: at least in the very short term.
But in the greater world of IT and business, AI is already very real, and highly significant. Dismissing AI as hype in this arena is the product of not paying enough attention and/or having a bit too much of a curmudgeon bias.
Stop it. It’s hurting you, not helping you. And not just you—the customers you protect as well.
Here are some examples of how AI capabilities have surpassed those of humans in just the last few years.
Computers can now identify people from images better than humans can.
Computers can now find issues in X-Rays better than humans can.
Computers can now identify melanoma on skin better than doctors trained to do the same task.
Insurance companies have fired their analysts and replaced them with IBM Watson.
AI has beaten us at Chess, Go, and are about to surpass us in Poker as well.
Amazon has 30,000 fulfillment robots working in its factories, and those jobs would have belonged to humans just a few years ago.
Major financial companies have replaced most of their financial analysts with a team of programmers who are building AI that out-performs the humans they replaced.
The stock trading floor used to be people making realtime trades, and now it’s mostly done using AI.
This is happening.
But the fact that it’s happening is just the minor point. The major point is the speed that it’s taking place.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
10 years ago we didn’t think AI could do anything. We thought it was junk science. We thought humans just had a native ability to recognize faces better than computers, and it was one of those things that could never be crossed. Like the speed of light.
Now that’s a joke. Then X-rays fall. And Go. And Poker. Financial analysis. Stock trading.
In internet time it’s been like 12 minutes. We’re not even starting. We’re just starting to start.
So, no. It’s not cool to just look the other way and laugh and call it all crap. It’s funny, and makes you look smart to people who also don’t follow what’s actually happening, but it doesn’t help you or the people you’re looking out for.
AI is very real, and it’s having a serious impact on human jobs and business as a whole.
It might take a bit longer to impact InfoSec, but that doesn’t matter. InfoSec was never about InfoSec itself. It’s about business, and people, and society as a whole. And those are the things that AI is affecting.
The sooner you take it seriously the better prepared you’ll be.
Laugh less, read more.
[ Aug 19, 2017 — Here’s an interesting discussion with Dave Kennedy and others on Twitter on this topic. Link ]