Metrics has always been the Achilles heel of security, but this data can be used to our advantage.
This was the word from Hugh Thompson, programme committee chair for the RSA Conference, who gave a keynote address on day two of RSA Europe in Amsterdam.
Big data, analytics and statistics allow us to learn real truths of what is happening in this industry, said Thompson. "This involves moving from superstition and precedent to real data-driven decisions."
According to Thompson, 20 years ago, baseball teams would make a multimillion investment in a player based entirely on the opinions of a couple of people. Today, statistical analysis is a huge part of the baseball player selection process, with experts drawing on data around everything from a player's pitch speed to their batting stance.
"This transition is an important one to think about, as those who adopted this approach early on were able to outperform their competitors," he said. "This is evidence of the sport moving from opinion and limited fact to it being run much like a business."
Similarly, a few years ago, when a person opened a bookstore, they were in charge of selecting what books the store would offer to the public, Thompson said. Today, as a result of changes in commerce and the emergence of online retail, sellers can use very strategic analytics to better cater to the likes and dislikes of their customers.
In the same way that these industries have moved away from gut-based decision-making to a statistics-based strategy, the security industry must embrace the benefits of analytics.
"I would argue that, in this transition from pre-analytics to post-analytics, the security intelligence industry is still in the pre-analytics phase," he said, noting that much of the responses to the attacks we see today are reactionary.
Embracing analytics in security is about differentiating between the things we need to take a hard line on and those we think are risky, but can't really say so for sure, he said, pointing out that this is where big data comes in.
Analytics should not just be about threats and anticipating an attack before it happens, but should give the organisation the ability to make better business decisions, said Thompson. "This will see the industry being more agile and better aligned with the business' needs in spite of the fact that we are in the most threatening time in security's history."