The term artificial intelligence (AI) is talked about a lot in cybersecurity and AI technology shows great promise in applications such as intrusion detection and prevention, fraud detection, user and network behavior analytics, as well as spotting potentially malicious activities like data exfiltration or credential misuse. What excites security teams about AI is its potential to act as a force multiplier for resource constrained teams lacking in manpower, allowing them to intelligently automate their workflows.
There are exciting times ahead for AI fans in the information security industry and I can see the fusion of AI and cybersecurity fundamentally changing the way we do things. I think the brightest use case by far is the fusion of AI and cyber training that allows you to properly train large amounts of people and the most compelling part of this idea is the fact that the greatest ROI to be found in a security budget comes from your investments into employee cyber training. A recent report finding that the ROI of cyber awareness training can be as high as 50x the original investment.
When it comes to cybersecurity your employees are your first (and last) line of defense, arguably the most essential part of your overall cybersecurity posture, technology solutions alone cannot ever hope to keep pace with a dynamic threat landscape. Investing into the latest cybersecurity technologies may make you feel safe, those investments do not address the fact that the root cause of most cyber threats is not technological, but human weaknesses. Cyber attackers target the people in your organization before they attack your technology infrastructure.
Compounding this problem further, most organizations investment in cybersecurity training programs is severely lacking and this is reflected in the fact that the prevailing cause of cybersecurity breaches can be put down to human failure.
Best practice dictates that every employee in your organization understands their role and responsibilities when it comes to maintaining cybersecurity, but one is universal: each employees must be trained to recognize potentially suspicious or malicious activity in the workplace.
This concept of ‘sense something, do something’ makes every employee an essential part of your cybersecurity defenses, and it is powerful practice as evidenced by the recent defense against the SWIFT banking hack. In this cyberattack $81 million was stolen, but much greater losses were foiled by an alert and cyber aware banking clerk in Germany who recognized a misspelling in the account transfer instructions.
When I say that all of your employees need to understand their role and responsibilities and be trained to recognize cyber threats, I do mean all of them and this includes your board members, your executives, senior managers and employees, right down to the janitor who needs to be able to spot infiltrators.
It is not enough just to train your own people, you also need to train the individuals within third party contractor, consultant and vendor ecosystems that engage with your supply chain IT infrastructure too. We have seen third party contractors and vendors enable a number of high profile cybersecurity breaches in the past, including Target and Home Depot, among others. When you consider just how large, geographically spread out and dependent on third party ecosystems some organizations are, you grasp how expensive and extensive an undertaking such as cyber training all of the people in the organization could be.
It is easy to understand why lots of executives instead prefer to invest in the latest technologies to keep them safe rather than invest in real and comprehensive cybersecurity training for their employees, especially within large organizations. An effective cyber training program covering every employee in the company needs lots of patient teachers to properly deliver the program if it is to be effective, absorbed and converted into learning by your employees.
Nor is it enough to hold an annual cyber training meeting or webinar, cyber security training programs need to be an ongoing process which evaluates and continuously shortens the cybersecurity ‘knowledge gap’ in each individual in your organization and this is where the cost and complexity in cyber training programs can really bite large organizations. Faced with a choice between the latest technology and hiring lots of full-time cybersecurity teachers to train your thousands of employees, many organizations invest in the technology and pay lip service to cybersecurity training.
Soon though organizations may not have much of a choice as regulatory cybersecurity requirements tighten up around them and regulators force them to adopt more rigorous training programs. The latest financial services regulations for example require businesses to “provide regular cybersecurity training for all personnel” and this trend is likely to continue across other industries, driven by industry regulators and government organizations who want to close your organization's cybersecurity knowledge gap.
All of the above factors are why I think that artificial intelligence is going to play a huge part in cybersecurity training over the long term. People are always going to need to be trained and have their training regularly refreshed and updated in line with a dynamically changing threat landscape, this requirement is never going to go away and increasingly organizations large and small will be looking for cyber training solutions.
I think this is where AI will really begin to shine in the cybersecurity space and come into its own as AI based cyber training helps us move the needle against cyber attackers. AI promises to provide personal attention to each of your employees and provide them with exactly the right amount of training to fill in their knowledge gap, the space between what they do and do not know about cyber threats.
My goto company in the AI learning space right now is Volley, primarily because they have what I think is the best handle on the cybersecurity training problem. You may have heard of Volley before, they are talked about a lot because of their recent financial backing from JP Morgan Chase who invested a significant sum into the company. Volley is also backed by Zuckerberg Ventures and Goldman Sachs.
That is not why they are my training solution of choice though. What I like most about Volley is that they have solved the three big problems in cyber training; knowledge, cost and scale. These are worth drilling down into deeper because they are the exact problems which all of us face in cybersecurity training.
Knowledge - Before you can train your people you need knowledge to train them with and as with most AI, the AI is only ever as good as the data it consumers. Before launching a training program the training course materials must first be planned out and drawn up for later use, this can be a huge challenge in itself as training materials need to be tailored to your own organizations unique threat model, internal processes and regulatory requirements. Training also needs to be industry specific and knowledgeable about the bigger industry wide picture.
This represents a formidable challenge and a large, ongoing, content creation project and this is where Volley really shines. Their AI learning engine is able to automatically and intelligently consume publicly available information from inside and outside of your organization and then use that to compile your training materials as part of an ongoing and continuous process.
Volley's AI learning engine goes out and gathers up all of the publicly available information you need, combines that with information and data from inside your organization and creates your courses, original AI produced training materials.
Cost - Training large amounts of people in a complex and geographically dispersed organization traditionally costs serious money. As I mentioned the knowledge first needs to be generated which can be expensive in itself, but then you have to hire training professionals to deliver the training to your employees on a regular basis, evaluating them individually and making sure that their knowledge gap is properly addressed on an individual basis. I think this is where Volley really makes an impact, by significantly lowering the costs of cyber security training when compared to traditional training delivery models, while at the same time increasing the quality of the training by focusing on individuals.
Whereas before you needed to hire a trainers, or outsource the training to a third party contractor, now you can deploy Volley into your organization and let their AI set about training each of your employees, evaluating their performance over time and ensuring their knowledge gaps are never too wide and always updated.
Volley’s AI learning engine is a huge force multiplier and it allows you to deliver personalized, individual and self-paced training to your employees.
Scale - Within large, complex organizations scaling your training program can become an issue, as can evaluating each of your employees individually and monitoring their knowledge gaps. In order to properly and effectively deliver ongoing training to your employees you literally need to build a large and sometimes global training department to deliver it.
This again is where Volley shines and allows you to deploy cyber training courses to individuals, departments, branches and divisions across your organization no matter where they may be located which is huge when you think about it. Whereas before you had to send trainers out to each office location, with Volley you can deploy training across your whole organization at the same time.
Volley’s AI learning engine is massively scalable and can scale up to accommodate even the largest and most complex organizations in highly regulated industries.
I believe that cybersecurity training is where we will see AI really grow wings and take flight over the short, mid and long term, because it is a place where it can clearly have a huge impact on the effectiveness of an organization's overall cybersecurity posture. I think that Volley are best suited to take advantage of this and absolutely love the way their AI learning engine gathers the knowledge you need, converts it into personalized training courses and then delivers that training to each employee individually in a cost effective way over the long term.
Of course it doesn’t have to be Volley underpinning this fusion of AI and cyber training , but they seem to be the leaders in the creation and teaching of this kind of knowledge, especially at large scale for complex organizations.
Little is known of Volley’s proprietary “natural language understanding” technology, but people I have spoken to who are familiar with the product have called it “one of the more creative uses of this technology in the market” and a “future knowledge fabric for complex firms”, something I wholeheartedly agree with. I recently had drinks with Volley’s founder and CEO Carson Kahn who insisted that they will stay independent, noting, “There’s too much value to risk getting absorbed by tech players more focused on advertising or data mining than on impact.”
Although they are independent right now, it is only a matter of time before much larger technology companies catch on to the hugely compelling fusion of AI and cyber training and realize that Volley are ahead of the game. I know that the company has received significant acquisition interest from large organizations who want to double down on this kind of artificial intelligence and cybersecurity play.
I certainly cannot blame them, as the cybersecurity space hots up during the course of 2019, cyber training is going to become increasingly important and enforced by governments and regulators in an effort to stem the tide of cyber attacks and against this backdrop an AI learning startup like Volley makes a lot of sense.
This is why I think that 2019 will be the year of AI based cyber training and from where I am standing Volley is perfectly poised to take full advantage of everything the year has to offer. Watch the market for movement and competitors to Volley spring up and play catch-up, there is going to be lots of activity in this space.
For transparency purposes I do not own equity in this company, nor have I been paid for this article, but I do move in the same circles as their CEO, I am a fan.