1) Don’t have unreasonable expectationsYour data scientist can’t simply “science your data” or get a benevolent robot to machine-learn away all your problems (despite what industry marketing would sometimes suggest). Data science is a multi-faceted skill set. It involves (deep breath) understanding multiple data sets, applying the most relevant analysis techniques to them, delivering meaningful insights based on the question that needs answering, and then creating the right visualizations to communicate status and priorities for different audiences with different needs. All that takes a bit of time and patience on both sides. (Hmm, that robot sounds quite tempting now….)
2) Celebrate your differencesRecognise the strengths and knowledge gaps that are likely to exist between you. Security professionals have a lot of expertise in the domain of, well, security. And your data scientist has a lot of expertise in delivering insight through data analytics. Find ways to bridge gaps in understanding and knowledge quickly, so you can leverage strengths effectively to work in partnership. Also, be prepared that neither of you may understand the nuances in your data sets at the beginning of working together. Just as you’re getting used to the constraints the data scientist has to work with due to factors relating to the data they have to work with, so too is your data scientist coming to grips with new and usually complex log formats in an effort to see what’s possible.
3) Don’t focus on the bad stuffThink of all the things your data scientist can bring to your life. Sure, there’s a lot of relevance for analytics in detection use cases (‘finding bad’). But there are also big opportunities for data science to identify, measure and metricise risks to help security teams escape ‘alert whack a mole’. For example, if you can deal with the root causes of alerts by ‘finding risk’ rather than ‘finding bad,’ you can gain a data-driven business case to either improve security controls that are not performing as they should be or to implement controls that are not in place.
4) Communication is keyUnderstanding the importance of communication and visualisation of insight from data is crucial. You’ll need different analysis for different people depending on their role. That means your data scientist needs to get a feel for the requirements of the CISO, control manager, IT operations, or C-Suite and then strike the right balance between conclusions and caveats depending on the decision the data-driven insight is supporting. Oh, your data scientist will want to do away with those 3D pastel-coloured bar charts from your quarterly reports. They will not be able to come up with one plot that everyone in your organisation agrees provides them with an accurate, easy to understand summary of the information they care about. And if they claim they can, you should question its validity!
5) Take it slowly and value the simple thingsA surprising amount of insight can be gleaned from applying simple statistics, especially to a bulky data set that hasn’t previously been analysed. Don’t expect to dive straight in with machine learning. Counting, medians and interquartile ranges may not be as glamorous as ‘security robotics,’ but this is where the core of a meaningful relationship with data-driven decision making begins. Finally, just remember: when you allow your data scientist to see your vulnerabilities, you know you’ve truly achieved a solid relationship. I wish you a secure future together. To hear more about applying data science effectively to security, as explored through the example of vulnerability data, come hear my talk at BSidesLV – “How to avoid making your data science vulnerable to attack” on Tuesday, August 2 at 18:00.