Cybersecurity and the Riemann Hypothesis
I was taken with an article I read recently, on a seminal construct in mathematics called the Riemann Hypothesis. The article talked about how researchers at Emory University had made progress toward proving that a central concept – one that has existed in mathematics for 160 years and upon which so many other mathematical principles are based – is in fact true.
I don’t claim to fully understand the significance (although I’m sure that many of our data scientists could teach me), but the core of it is about counting prime numbers. Many important mathematical ideas are based on the belief that the Riemann Hypothesis is true, and the concept is so important to the field that there is a prize for $1M for anyone that can prove or disprove it. As a business leader, the basic story caught my attention because it reminded me of what we see so many times in business and technology – relying on the validity of one unproven premise to base another. The results can have both good and bad consequences.
Let me give you a couple of examples.
In the 1990s, the telecommunications industry went through a merger craze when fiber optic technology deployments became widespread. Companies found plenty of capital available to invest in long-haul data capacity to meet the expected demand for internet growth, and Wall Street gave rich valuations to public companies that invested in internet capacity. Dark fiber, switching, and data center companies drove the acquisition fever that swept the industry because high valuations enabled them to consolidate other companies using stock instead of cash. The central hypothesis behind these valuations, while unproven, was that exponential internet traffic demand would outstrip supply for the foreseeable future. This established baseline valuation multiples for industry leaders. Layered on top of this premise were two additional hypotheses: first, that smaller companies could be valued “relative” to leading companies, rather than based on their own economic fundamentals, and second, that deregulation would continue to produce attractive investment opportunities through new entrants.
The ”canary in the coalmine” that some missed was the rate of advancement of dense wave division multiplexing technology (DWDM), which added exponential amounts of data capacity to a single fiber strand. This development destroyed the profit margins in long-haul data transport because it drove the unit cost of carry to virtually nothing. When that happened, new entrants struggled to get financing, acquisition activity slowed, and investors in leading companies took a bath. The industry collapsed. What happened and could it have been avoided? Hindsight is always 20/20, and at the time much of all this was evolving so rapidly that it was difficult for some to foresee clearly. I do wonder, however, if more active collaboration among industry participants could have made a difference. Instead of investors, customers, and carriers staying in their own silos, could they have collaborated to continuously validate the unit economics of carrying data, the financial viability of new entrants, and the customer demand that led to the original unvalidated hypothesis?
Today, the cybersecurity field has some curiously similar parallels. Enterprise security budgets, driven by scrutiny from Boards of Directors, the move to digital, and a healthy desire to manage risk have been rising fast to enable investment in new controls and technology. Breaches are getting bigger and more frequent, and cybersecurity ETFs have gained more than 40% in the last three years as stock valuations for cybersecurity companies skyrocket based on investor expectations of unending growth. A central, and yet unproved hypothesis, is that many of their latest tools and technologies will lower enterprise risk. Layered on top of this premise are two common additional beliefs: first, that the value of a particular risk is known to the enterprise, and second, that risk can be lowered by covering more surface area through widescale technology deployment. Yet, we know that a significant percentage of the contemporary breaches are driven by people and social engineering, and that timely patching and configuration could have helped in many cases. We also know that risk is highly dynamic and evolving rapidly thanks to the fast pace of technology and the changing nature of threats we face. How then, do you know what best impacts risk for a given dollar of investment today? Which vulnerabilities represent the most risk, and what controls are most effective against a given attack? This highly uncertain environment is one that can greatly benefit from what researchers have been doing for decades in mathematics: collaborating. Trusted collaboration enables uncertainty to be tested by leveraging the experiences of others to validate that an unproven hypothesis is still a reasonable one. And in cybersecurity, it can have immensely practical value. By sharing experiences with peers in a trusted environment, practitioners can quickly understand the costs and efficacy of security controls in other environments, and how the threat may be changing in other industries. It also enables practitioners to compare notes on successful techniques for tackling critical topics like budget justification and executive communication. Taken together, sharing these human experiences can help to quickly validate strategies for risk reduction and maximizing security ROI. Or said differently, regularly validate the decisions we all have to make in security that are based on layered, unproven hypotheses.
Managing risk and speculation are at the heart of economic value creation and will always be a part of running a business. Were it not for the existence of unproven hypotheses, we would not have landed someone on the moon or created the internet. We can always make better decisions, however, by leveraging collaboration to reduce the risk of uncertainty through hypothesis testing. It’s not a new concept to scientists or Lean startup followers, but maybe in cybersecurity we need to do it a little more.
If Bernhard Riemann were still here today, it might even make him smile.