The CISO Speaks: Jim Routh of MassMutual on How Analytics and Machine Learning Are Altering the Cybersecurity Landscape

Posted on by Tony Kontzer

We have entered an era in which the rules of cybersecurity are changing. Enterprises have unprecedented abilities to collect and analyze data via analytics, and to automate the application of that data via machine learning and other categories of artificial intelligence.


Unfortunately, cyberattackers have access to the same tools and capabilities and are often using them just as effectively as enterprises, if not more so. In such a paradigm, enterprises must do everything they can to stay one step ahead, using emerging technologies in creative ways that can create obstacles for bad guys, and in doing so, protect the precious data that's at the core of this conflict.


Not surprisingly, a recent Forbes survey of CISOs found that 45% plan to shift their cybersecurity efforts toward analytics that feed automation via artificial intelligence and machine learning. And it seems inevitable that this number will rise as more CISOs see the inevitability of this trend.


With that backdrop, we figured this was the perfect topic to explore in our ongoing series, The CISO Speaks. In this installment, Jim Routh, CISO for MassMutual Life Insurance Co., shares his perspectives about the growing role of analytics and machine learning on both sides of the front lines, and how MassMutual is approaching the issue. What follows is a lightly edited transcript of my email interview with Routh.


Q: What roles are emerging technologies such as analytics and machine learning playing in MassMutual's cybersecurity efforts?


A: The application of machine learning algorithms driving frontline security controls is part of a continual evolution for all enterprises that is found in security vendor products, as well as bespoke models customized for online fraud prevention and management. We design new security controls based on changes in threat actor tactics that ultimately use data science to create friction for threat adversaries while improving the digital experience for consumers.


Q: What's going on that necessitates this? To what extent are the bad guys using analytics and machine learning against you?


A: Threat actors are continuing their use of data science to harvest consumer demographic and personal information through botnets that attack web applications and APIs for mobile applications, and through credential stuffing attacks. It is reasonable to assume that the trend of threat adversaries using data science will continue, and thus the use of data science by an enterprise for information protection is essential.


Q: How do you decide when/how to apply analytics and machine learning? What makes one or the other better suited for a certain task?


A: MassMutual shares specific purpose-built use cases with early stage companies willing to develop game-changing capabilities to satisfy these unique use cases. We then work as design partners with the companies to refine the capabilities and ensure enterprise wide scalability through multiple iterations, proving out the technology prior to implementation. The most common use case involves the comparison of behavioral-based attributes to a baseline or established pattern, resulting in a deviation score that can be aggregated across multiple attributes with specific treatment strategies. It turns out that there are hundreds of security-related use cases that can leverage this specific aspect of data science applied to many different platforms, like identity and access management, privileged user management, or authentication across channels.


Q: How do the results you're getting with these technologies compare with what you experienced prior to using them?


A: Learning from the application of emerging technologies is a continuous journey. Initial failures often accelerate the learning, and innovation results from the process of learning through failure. It’s part of the package of trying new concepts and ideas for controls that increase threat actor friction.


Q: What surprises has the use of these technologies unearthed? What unexpected benefits have you reaped? What unforeseen challenges have you come up against?


A: I used to believe that using data science to uncover patterns in analytical data and drive more effective decisions on the allocation of scarce resources to the highest risks represented the highest level of maturity in a cybersecurity program. I was wrong. Using data science to drive specific and situational outcomes from frontline security controls is far more effective and sustainable than simply creating better reports that ultimately require people to take action.


Q: How do you envision the roles of analytics and machine learning evolving in your security operations?


A: We are collecting and cataloging different use cases driven by models that will be in the hundreds over the next few years, applied across multiple platforms. Data science is an essential tool/capability today and will continue to be a core competency for risk-driven cybersecurity programs in the future. Today, enterprise cyber-programs can choose to apply machine learning-enhanced capabilities to areas like endpoint protection, botnet protection, and online fraud detection and prevention. These are examples where vendors today offer a mature machine learning capability within a software product. They do not include bespoke model development or sharing of machine learning models between enterprises, which will also be an option for enterprise security in the near future. For MassMutual, data science is a foundational component of the cybersecurity program and core to our business strategy. 

Tony Kontzer

, RSA Conference

Analytics Intelligence & Response

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community