Hadooponomics: Rethinking Big Data: Using Psychology and AI to Ask Better Questions (Podcast Transcript)

HadooponomicsEp13Listen to the episode.

James Haight: Welcome back, everyone, this is James Haight and I am excited to be here with you. We’re kicking off Season 3 of Hadooponomics. We have an awesome, awesome guest lined up for you. We’re kicking it off with six episodes this season, and today we are starting off with Morgan Wright. For any of you who don’t already know Morgan, you’re gonna love him. He’s an extremely interesting guy who has done a whole lot of things. He’s a world renowned cybersecurity expert, works for news networks, consulting for them on Big Data and technologies in cybersecurity. Of course there’s a lot of consulting work for the government. He’s done everything from helping the FBI with the DC sniper case to a whole lot of other things that we’re gonna dive into.

And there’s a lot of actionable tips in here. We of course talk about cybersecurity, but we take it back a level and sort of look at the bigger picture, and how it fits into that sorta human element, and how it ultimately comes down to asking better questions of your data. So we actually talk a little bit about some of the strategies and trends that he’s seen working and sort of where we’re going in the future so you guys can bring that back to your organization. Lot of good stuff in here, and the best part about it, Morgan’s a pretty accessible guy, willing to help you and consult with you guys. So if you’re interested in him, you wanna reach out, all his contact information is at the end of this episode. But also, you can find it on bluehillresearch.com/hadooponomics. We’ll have the show notes there, we’ll have the transcript, and we’ll have all the ways that Morgan said that he can get in touch with you guys up there.

So with that, I’m gonna step out of the way and let’s dive straight into our interview with Morgan.

All right, everyone, welcome back to the podcast. I am here today with Morgan Wright. Morgan’s a really interesting guy. Not only is he Chief Technology Analyst for a lot of the major news networks out there, he’s also a Senior Fellow at the Center for Digital Government. Morgan, welcome to the show.

Morgan Wright Hey, well thank you for having me on. And who wouldn’t wanna be on a show called Hadooponomics.

James: [laughs] That’s the hope, right? So Morgan, we’re excited to have you here, and as I sort of mentioned, you’re a pretty interesting guy. Can you just sort of tell our audience who you are, what you do, why we should be interested?

Morgan: Well you say that until you get to know me, then it might change. But no, number one, I appreciate being on this, as this is always fun. No, I’ve had kind of a varied background. After 18 years of state and local law enforcement, I originally was a music major in college, so who would’ve known? But I figured it was easier to arrest the kids than it was to teach them. So I spent 18 years in state and local law enforcement, state trooper, detective. But it got me exposed to technology because I was doing all the behavior analysis stuff, interview and interrogations, serial crime profiling. But then I saw this poster of Michael Jordan and Bill Gates and saw how much Michael Jordan made for the year, which paled in comparison to what Bill Gates made per minute. So I said, I gotta figure out this technology stuff. So I started doing a lot with computer forensics and then that got me into cybersecurity, moved out to Virginia and did some work in the intelligence community, the defense community. And just had a good, varied run. Worked as an executive at places like Alcaltel-Lucent, Rand, public safety, broadband, Cisco, their global public safety programs, Homeland Security. Spent some time in some interesting countries like Bogota, and Pakistan, and Turkey, and India as a Senior Adviser for the US State Department Anti-Terrorism Assistance Program. So the only reason I say all that is that as I’ve been able and had the great fortune and the great honor to work with a lot of good people in all of these different areas, got exposed to a lot of neat things about the power of information and the power data, and why so many people are looking at this wrong. And that’s why I was excited to be on, because I just have my view of the world. It’s just Morgan’s little view. But I think when you and I talked in the pre-show and stuff, I think there’s a lot of interesting things that’s buried in the data. And if people just had a different view of it, we could have a much bigger impact in terms of the mission or what anybody’s trying to accomplish. So that’s kind of a smaller version of what I’ve done.

James: Absolutely, and part of the reason why we’re excited to have you on the show is the fact that you actually don’t come at this from sort of the technical background, right? You’re almost coming from the opposite extreme. You’re coming at it from a behavior and a human interaction standpoint. Which means when you sit down, you’re looking at it fundamentally differently than what, perhaps, a lot of our audience does, definitely than how I look at data. And so you’ve had some pretty interesting thoughts about data security. And we’re trying to go back and forth on how we can help out our audience understand how to make the most of their Big Data investments, and how they should actually be viewing data. I wonder if you can just sort of go off of that, and then we’ll dive deeper into some of the more specifics.

Morgan: Sure, so I’ll give you a real world example, and we’ll talk later, too, I’ll talk about healthcare.gov, too, because I was one of the four original experts that testified on healthcare.gov. And you wanna talk about a lot of Big Data? There were some issues there. But I’ll tell you, now, don’t get me wrong, I can go technical, I just chose not to because I wanted to give, one of my degrees is Computer Information Systems. So I’m like, yeah, I get this, but I was always fascinated by how can technology increase the speed and precision of the decision making process? And that’s where we get into data, so let me give you a real world example.

Working on Plan Colombia we were working on assessing, and this is back before 9/11, we were working on assessing lots and lots of risk because the narco traffickers had information. They owned lots and lots of property. So in that, those physical things actually generated lots of data that we look for relationships. And so I started looking at things a little differently there. And then 9/11 happened, and so the mission of several of the things many of us were working on changed to where I was doing some work inside the Counterintelligence Field Activity, part of the Joint Counterintelligence Assessment Group. And we were looking at it to say, okay, look, and this is where I came up with the theory, we were talking about the haystack. So I came up with this philosophy, this approach is that it is a complete waste of time to try and make the haystack smaller. Everybody says, well, it’s like looking for a needle in a haystack, and that’s the value of Big Data. It’s there are many, many needles in there and it’s a huge haystack, and so it was supposed to make the haystack smaller. Complete waste of time, because, really, what you want to do is get to the needle. So I always looked at how can technology operate as a bigger magnet? How can we pull information out as opposed to me having to go search for it? So the real world example was, the unclassified version of this, is that we found some things that we were doing in the intelligence community that could actually be applied in law enforcement, which was my background.

So let’s take the DC sniper case. For those that may not be aware of what happened is, almost a year after 9/11, out in the northern Virginia, the National Capital Region, Lee Boyd Malvo and John Muhammed engaged and killed 13 people in 33 days, wounded a lot of other folks. And for the whole time we were looking for a white panel van, James. Just everybody got that, oh, we’ve had a shooting, go look for a van. And I kept telling these guys, don’t let the lights blind you, it’s cognitive bias. Even in an investigation, you can’t get locked into a thread of an investigation and say, hey, we’re going down this route, and get locked into a line of inquiry because you’re too invested in it. So what we did is we looked at it, and my thing was, okay, look, let’s just get down to some things, how many people have just had contact with law enforcement? We know that the more that these things happen, the more the probability that somebody will have contact with law enforcement. And which’ll lead us into a second discussion, too, we’ll talk about serial killers and the value of Big Data in that.

Anyway, so every agency in the United States, James, has a thing called an ORI, Originating Agency Identifier, which is like an IP address, it’s unique to that thing. So I said, let’s draw circles around Prince William, Prince George’s, and Montgomery counties, which were three of the biggest areas, and let’s look to see how many people or vehicles, or anything that had two or more contacts. And look, a lot of things were happening at that time, people didn’t act on information as quickly as we’d hoped. Because look, it was a big, huge investigation going on. But let’s put it this way, the outcome of this was is that when you drew circles around those three counties, there were 97 vehicles that had their tags checked through the law enforcement computer called NCIC to see if they were stolen or wanted. Only 97 vehicles had been checked two or more times. Out of those 97, three were Chevy Caprices and one of those Chevy Caprices belonged to Malvo and Muhammed. But that vehicle was the only vehicle, the only vehicle in the entire United States, James, that had its plate checked in Northern Virginia, the National Capital Region, as well as Montgomery, Alabama. Which, through ballistics, they tied those two shootings together.

So let me just bring this part to a close, and I’ll tell you why I looked at it differently. Everybody kept looking at this, I said you guys are looking at this like a two dimensional checkerboard. I mean, you’re playing checkers but you’re looking at it from the side. So I see the board, and I see a red piece, and I see a black piece. And I know that they’re there, but I can’t see the relationships between the pieces. I can’t come up with a strategy because I don’t know exactly how many pieces there are, where they are on the board. So I said, we gotta change our view of information. So you need that top down view that, now that we’re getting the point of where we’ve got Big Data. Back in the day it was called Total Information Awareness, Admiral Poindexter down at DARPA was working on a program we tried to bring into DOJ. And so, I mean, it was fascinating to look at this stuff. At the end of the day, the Big Data that we were trying to get to was driven by people. The actions of people, the contacts that they had, so we used that. At the end of the day, and then when you looked at the police reports that came out of this too, James, there were four vehicles. In four of the shootings out of all of them, a dark colored or burgundy colored Chevy Caprice was seen leaving the scene of the incident. So you take that, along with the fact that only three vehicles were Chevy Caprices, and only one vehicle in the entire United States was checked in the areas where shootings were linked. That’s how we could’ve used Big Data better. Back then we just didn’t call it Big Data, it was just massive amounts of data. And we’re trying to figure out what to do with it. So anyway, let me bring that to a close and say, look, if you guys don’t think Big Data’s not important, whether your mission is in banking, which is you’re looking now for terrorism, and money laundering, and things like that. Or whether it’s healthcare and you’re looking for fraud, or you’re in real estate. Look, ton of fraud and a ton of illegal activity happening below the thresholds in real estate transactions at all these rental properties throughout the United States, and homes being bought for cash, that fall below a certain triggering mechanism for reporting. So anyway, James, let me stop there, because if I don’t I won’t take a breath and I’ll pass out.

James: [laughs]

Morgan: But I mean, this is why I love this stuff, there’s so much good stuff there.

James: Sure, and one of the things that I’m drawing back is, you talk about, hey, let’s not make the haystack smaller, let’s have a bigger magnet. If you think of what we’re doing with Big Data, and so many people, all right, we’re investing in huge Big Data ecosystems and systems, right? Whether it’s Hadoop or not, we’re making the haystack enormous, right? So for those of us who are about to make the haystack even bigger, or who already have the largest haystack in the world, what are we gonna do?

Morgan: I think one of the things you gotta do is you gotta step back and realize, at the end of the day, what’s the outcome you want? We get too fixated on outputs. Well like I created this before, I did this, I did that, and that’s not the question. The question is, what is it you’re really trying to achieve? What’s the mission? And I’m getting a little bit police or military oriented on the language, but it’s really, at the end of the day, if you’re analyzing all this data, what will you do when you get the data? What answers are you seeking? In fact, one of the things I would say is spend a lot of time figuring the right questions to ask of the data. And that’s what Albert Einstein said, too. I go back to one of his famous quotes. He said, look, I think it was, or some variation of look, if I had an hour to solve a problem, my life depended upon it, I’d spend the first 55 minutes figuring out the right questions to ask. Because once I knew I could ask the right questions I could get to the answer. We just dive into stuff, James. And I think if we sit back and we start applying the critical thinking skills, what are the questions I should be asking? I did a presentation for a securities company, financial securities company, and they’ve got billions and billions of dollars, called Macquarie. And I came out and I gave them a checklist, I said, look, you don’t need to know anything about technology, but if you’re sitting on a board, you need to know how to ask questions about what your risks are around cybersecurity and all of these things. So I went down a punch list, I said, here’s the questions you should be asking about policy, about training, about technology refresh, about access control things. You don’t need to know how to configure a router, but you ought to be able to ask, have we put the proper protections in place? Have we done X, have we done Y? And when you don’t get the answer you’re looking for, and most of us, James, can smell a BS answer when we get it. We’ve all been involved in technology, when somebody starts going, well, to be honest, that’s your first clue something’s wrong there.

So I think there’s two things I would say. Number one is ask the right questions, and number two, here’s the key. I was just speaking at a conference yesterday, and one of the folks was always challenged, which I know a lot of your folks in the audience are, with, how do we get the attention of executives? How do we get the visibility? How do we get them to understand what we’re doing? My response was, when you present things and you’re doing things, you’re making it too technical. I suggested two things. Number one, good friend of mine wrote a book called, oh, I just spaced out the name, I’ve been traveling so much. It’s Carmine Gallo, and it’s basically, it’s The Storyteller’s Secret. I’m sorry, it’s called The Storyteller’s Secret. People need to learn, even if you’re in technology, learn how to communicate and do it at a sixth to seventh grade level. If you wanna have impact, you wanna drive change, ask the right questions and communicate that change. The technology is a tool, it’s not the end state. The end state is getting the outcome you want. And the way you do that is through communication. And one of the ways you do that is creating that insight that only asking the right questions of the information, or of the project, can get you. So that’s kinda my take on it. I mean, we could write code all day long, but at the end of the day, if we can’t put it in such a way that we give somebody the ability to make a decision on it, then it’s academic.

James: Absolutely, and so I think our audience will probably tie back to two of our past guests, and it immediately pops up in my mind, and the first is Kirk Borne. We had him, and he’s Chief Data Scientist over at Booz Allen. He worked on the Hubble space telescope. Legitimately a rocket scientist and astrophysicist. And his whole schtick was, you just visualize the data and present it so that a fifth grader could read it. And it’s incredible, he’s one of the most technically gifted people we’ve interviewed on this show, and the way that he got decisions done, and the way that he made change was through exactly what you’re talking about.

And the second piece is, look, we need to know what the right question to ask is, and what I wanna sort of put this back on you, is you talked about that technology’s a tool. And I know that you’re big into the AI and the cognitive world, and I suspect a lot of our audience is trying to dive into that. To me, it seems like there’s almost no better tool than sort of cognitive and machine learning, and that sort of thing, to actually get to the answer once we figure out what the question is to ask. And, perhaps, and what I’m really curious is, can that actually help us ask the right question?

Morgan: Absolutely, and I’ll tell you, here’s something I did back in 2004. By the way, to be in the same discussion as the guy who worked on the Hubble telescope, man, [laughs] I pale in comparison. I might be able to work on my Camaro every now and then, but that’s about it, so. [laughs] Yeah, certainly not a space telescope. But I’ll tell you what, actually, I got invited, so I’ll be out at the World of Watson with IBM, and speaking of AI, this is how it can help you. So back on a project I did in the Department of Justice, it was originally called the Law Enforcement Information Sharing Architecture, and my first piece of advice to them was dude, that’s a snoozer. Nobody cares about an architecture, especially when you’re trying to get the operational people at the FBI, ATF, DEA, marshalls involved. So we called it the Law Enforcement Information Sharing Program. Why? Because they just launched the National Criminal Intelligence Sharing Program. I said, now it sounds like you actually had a plan. Which they didn’t, but it sounded like they had a plan.

James: [laughs]

Morgan: And one of the things I said you should be capturing, Amazon was just starting to get big at that time. But one of the unique features of Amazon was they started taking some of this early machine learning, or saying, people who searched for this also searched for this. They were doing suggestive selling. But what I was saying was, think about the synapses that starts making you fire, when people searched for Smith, S-M-I-T-H, they also searched for Smyth. Oh, I never thought about that! Or here’s an interesting thing, too, when you deal with multicultural names. A lot of people get Hispanic names wrong, because when somebody’s name is like, and this is a friend of mine, Ramon Hernandez Gonzalez, worked with him at the Sheriff’s Department. I was a state trooper, he was the Sheriff. But Hernandez was his mother’s name, the maternal name. Gonzalez was the paternal name. A lot of people thought that Hernandez was the last name, and it wasn’t. So they would get the names wrong.

Give you another example. Shahriar Beigi is a Persian name, I used to grow up around him. Shahriar Beigi is actually short for Golan Reza Khan Muhammad Beigi. I mean, try to put that on a name tag. And so we used to kid him, so we’re just gonna call you Bob. But to that point, it’s that once you start giving me new possibilities, James Altucher calls it idea sex. Just start finding out something here and something there, and put it together, pretty soon you have a new idea. So that’s one of the things I do too, is write down ten new ideas every day. But I think that’s what AI cognitive can help you do, is it can start stimulating other thoughts, other ways to connect random things together to generate a whole new idea. Which is a whole new inquiry, a whole new way to look at the data. When Freakonomics came out, which kinda ties into your Hadooponomics, right? What was one of the guys’ things that they did, the authors of Freakonomics did, is they looked at the data differently. They asked different questions of it. They said, why can’t we ask this kind of question? Like about the crime rate, or about this, or about that. So they looked at it differently, and the causation factors for that. And that’s where, I think, a lot of smart people out there, and you know what? You ever had one of those aha moments, a blinding flash of the obvious, and all of a sudden it hits you, that inspiration? Where all of a sudden you wake up after your mind’s worked on something for a while, you go, oh my goodness, that’s the answer to it! Or, that’s the way I need to look at it differently. I think that’s what AI cognitive does. It will turn us into better question askers, if that’s a phrase, so that we can get different results and better results on it. If you keep asking the same question you’ll get the same response, right? How do we change all of that? And that, to me, is the exciting piece. I still want humans driving cars, I can’t wrap my head around the idea of sitting in the car and letting some robot drive me off the ditch. So I still think humans have to be in charge of things. And I think their ability to look at things and ask questions will be supported by AI and cognitive. So all this machine learning is gonna be great, but still, at the end of the day, it’s that unique, human characteristic to look at things in different ways. Why can Stephen King write these killer novels? You might be able to teach a machine to do that, but at the end of the day, only somebody like Stephen King can come up with like, The Shining, and Carrie, I think, and stuff like that. So humans are still always gonna be important, and I think AI cognitive will absolutely improve our ability to ask questions. Even though we don’t know the answers to them, if we start asking better questions we’ll start discovering these bigger, darker secrets, and outcomes, and learnings that are hidden. Truly, they’re hidden in the data there, somewhere. We just gotta figure out a better way to pull them out.

James: And so let’s push on that just a little bit, dive a little deeper. Because it’s one thing to say we need to ask better questions, right? And I think everyone agrees, sure. But the next question is, and perhaps the better question, ironically, to ask, is what is the better question? How do we find that and then sort of present it up to our executives, right? Let’s tie all those things together. You’re a Big Data analyst, you’re a data scientist at a Fortune 500 company, and you’ve been grinding away trying to figure something out, and how do you go about asking this better question? And then once you find the answer, how do you go about actually influencing change?

Morgan: That is an excellent question, because that gets back into the motivation, right? A lot of people ask how. Give you an example. You work for companies that have password policies, right? They tell you, your password must. They tell you what you must have. They just never tell you how to come up with the password, and why, from a behavioral standpoint, you need to do things. So it’s really the motivation, it’s the how, it’s the why. I don’t think we’ll ever come up with a very good answer to that, because it all depends upon your culture. If you’re in a Google or a Microsoft, versus, as you were saying earlier, a Booz Allen, or I used to do work at SAIC, and Unisys, and BearingPoint, and Cisco. Each company had a completely different culture and you had to spend time to learn the culture to learn, how do they make decisions? How do they drive decisions? I’ll tell you, one of the other things, though, I think would be very helpful in terms of how to ask better questions is to get out of your comfort zone. I mean, everybody, and your folks in your audience out there know this, too. You go to these conferences and you always see, “the usual suspects”. So you come, and all of a sudden we start getting an echo chamber. I told somebody, sometime, why don’t you go to the auto show, instead? Don’t go to RSA, go to the auto show. Why? Because it’ll start spurring different ways to look at things. Why do, for example, let’s talk a little bit about Big Data, cybersecurity, and how this ties in. Why is it that we have all these zero day exploits or we have these novel ways of getting in? Why? Because we’re constrained. 9/11 happened because of a failure of imagination. That was the lesson from the 9/11 Commission. Because we couldn’t imagine four planes being flown into things. And we couldn’t imagine that somebody would spend all this time doing this, and we couldn’t imagine that. That was the problem, failure of imagination. If you wanna ask different questions and quit fighting the last battle, get out of your comfort zone, start getting into things that stretch your comfort. Start stretching the way you think and start driving different ways to look at the world. We all get wrapped up in our little world. We take the same way to work. So one of the things I saw, a guy who comes up with these brilliant ideas, he challenges himself every day when he drives in, and he lives out in Bay Area. Challenges himself to find a new way to go to work every single day. Never takes the same route twice. And just that, I mean, you gotta break out.

So I say all of that to say this. I don’t know that there’s a really good way to do this, but I what I would say is have some fun. Read stuff like James Altucher, The Choose Yourself Guide. Don’t go to the standard shows, go to something different, completely out of your comfort zone. People gonna wonder, what the heck were you doing there? And start looking at the world differently. And I mean, I know that there’s all these courses that teach you critical thinking and stuff, and I never attended one of those. I never looked at it that way. But I’ll tell you, some of the most life changing things that I ever went through is when I went to people that taught you how to communicate. People that taught you how to think differently. Personal development stuff. Because they want you to look at the world differently than you are. In fact, I tell you what, read some of the stories about some of these good hackers and stuff that are out there, and read the interviews that they do on these InfoSec magazines and stuff. And look at how they view the world, look at how they think differently than everybody else. And that’s what the old Apple thing was. Steve Jobs said, think differently. So I don’t know that I have a good answer for that. I mean, hopefully I didn’t beat around the bush too much, but I’m telling you, James, I don’t know that we actually have a good discipline for people. We teach them technology, we teach them management, but I don’t think we ever sit back and say, when do you spend time, do you clear out your calendar for two hours and just sit and think about the problems you need to solve? No, because we have people say, well I’m too busy working. That’s why you can’t solve the problem, you never sit down to let your mind wander and say, hmm, what would happen if I put A with Z with Y with T and with a bag of fruit? What would happen then? And start looking at different things.

James: Absolutely, so there’s so much in there to dig out, right, and I’m trying to pick the pieces that I wanna press on and go a little further. I think the first thing that I’ll mention is we had a guest on here talking about how if you look at location data for customers with mobile tracking, you find out that people are always in the same three spots. They’re at home, there’s work, and then there’s one special place in between. It’s maybe picking up their kids from school, or the gym that they always go to, right? There’s always sort of these big three. And the point of saying that is I see us, people just in the same routine and sort of the same mindset solving questions all the time. And the idea of the echo chamber is so real, and I say that as someone who contributes to it almost daily [laughs].

Morgan: [laughs]

James: I go to the same conferences-

Morgan: We all do.

James: I see the same people, I talk about the same thing and I sort of advance an agenda, even on this show, based on my preconceived notions and what I think the world should be, and how I view it. And I think there’s something to be said for just taking a step back and trying to solve a problem in a completely different way. One example, and I can’t think of the exact specifics, but there’s this one government program, and what they do is they sort of crowdsource the answers to these really almost impossible challenges to solve. And what they find is, if it’s a physics problem, it’s not the physicist who comes up with it. It’s, say, the economist who just happened to have a little bit of training in physics, right, enough to understand it but approaches it with a totally different mindset. And I think there’s a corollary there to be brought out sort of just to the general world of anytime we’re trying to solve problems.

Morgan: Actually, what you’re referring to, the first one, too, about they all go to the three locations, that’s what Starbucks figured out. And, in fact, Howard Schultz said, Starbucks is that third place between home and work. That’s what he was trying to make Starbucks. They exactly knew human behavior. And that’s how serial crime profiling works, is that you look at human behavior and you say, well, I don’t know what a specific person does. People who do X tend to have these things. So yeah, so they go to those same three places, they do the same things, but then some of the value, too, about some of the location stuff, you’d be surprised. A lot of people don’t know, sometimes, that they have these habits. So there’s another great book I would suggest people read called The Power of Habit, by Charles Duhigg. You will see why people do certain things. So if you wanna change things, you have to change. It’s very hard to change their habits, but what you do is your change their reaction, their cue. So one guy found that every day at 3:00 he just got up and he went and ate a cookie, and then it was the chips, and then pretty soon he was gaining a lot of weight. So he started asking, why do I do that? Is it because I’m hungry? And he started keeping track of stuff and he found out, he said, no, what it was, I was bored. So at 3:00 every day, instead of eating a cookie, he changed his routine. So he got up, his habit was to get up at 3:00, he would talk with a colleague, he’d go have a smoothie. He would do something different so that the outcome would be different. He didn’t change his habits, he still got up at 3:00 from his desk, but he changed these things.

And I mean, to your point about the echo chamber and stuff, here’s what I would say for some of the folks that are out there. Go talk to your boss and say, I want to go to a conference that has absolutely nothing to do with what I work on. I think Google used to do this too, James. I think they used to say you could spend 10 to 20% of your time working on projects, kinda like pet projects that had nothing to do with what you’re working on because you would stimulate ideas. But the other thing I was gonna tell you about, too, was when you talked about the economist, that crowdsourcing, there was a company for a while, and I think it was called Challenge Driven Innovations, but that’s what they were doing. They were trying to solve, and I can’t think of the company, it’ll come to me later, most likely about 3:00 this morning. But there was a company that was trying to solve, I think it was a pharmaceutical problem, but they had spent 15 years trying to solve this. And they couldn’t get where they were doing it. So they actually exposed some of this information. No, no, I’m sorry, it was mining, it was mining, it was gold mining. And they just said, hey, look, we’re just gonna publish our maps, we’re gonna do this, we’re gonna do this. And if you came up with the right answer, obviously, then you’d get a percentage of what goes on. Well a guy out of Russia, not even anywhere, a guy in Russia looked at it, said, hey I built this program that does X. And so it was in Canada, I believe, they were able to go back and find and increase the productivity of certain areas and certain mines for gold production. And instead of holding on to the information, information is worthless if you hold onto it. And I know, I get the intellectual property and stuff, I’m not talking about sharing classified information. But if you let information go free, if you will just put it out there and see where it goes and follow it, you’ll be surprised. I think it was the Navy that actually realized that a software that was written to detect magma displacements under the water could actually be used to track submarines. Now who figured that out?

James: That’s incredible. So I think we could probably talk about this all day, and there’s just so many routes to sort of go down and explore. But one of the things I wanna make sure we touch on and transition to while we have you here, right, is talking about this idea of Big Data security. It’s a huge issue. I suspect a lot of it is just thinking differently and making sure that you have the right parameters in place, thinking about it from a very people-oriented way. But I’d love to sort of first get your reaction, sort of your spiel, and how you think about it, and then dive into a couple points.

Morgan: Well by the time this podcast comes out, your folks will be aware that Yahoo had the largest data breach in history. 500 million names and passwords, and some encrypted, some hashed, and information like that. That’s Big Data, I mean, that’s a huge amount of data, right? So how are you protecting it? What were you doing with it? But more importantly is why is it that we couldn’t, I mean, this is basically a nation state, a state actor. So why is it that we weren’t able to detect this stuff going on? I mean, we’re looking for different clues, different things, and you’re right, it still goes back down to you gotta make sure everything from a network standpoint, topology, I get this, we were talking about network access control. Even after 15 years, NAC is still kind of a very hard thing to figure out and do to make it easy. And with BYOD and all of these endpoints and stuff, and you’ve got all of this data. We’ve got more data flowing, I mean, the knowledge of the world probably doubles what, now, every 180 days or something? And we’ve just got all of this data, but it’s making sense out of it, it’s clarifying it and bringing it down. But the more important thing is, is that as we build these systems, we tend to overdrive our headlights. And we think, we gotta get to market, we gotta do this, and so the old joke, I think it’s still true, too, is that when you’re building these systems, there’s three factors. Price, speed, and security, pick two. And security always used to be the third factor, and it was like a bolt-on. Well as you build these systems, as you build, especially, Big Data systems, it makes it easier now to hide malware inside of those things. It makes it easier to hide attack vectors inside of those things. You’ve increased your attack surface exponentially with the more things that you have that are running out there. But again, guess what it comes back to? It still comes back to a human thing. One of the things I advised on, talking with the House Science and Space Technology Committee, I do some advising for them kind of on the side on some of these issues. Because they were talking about state actors, and how safe is our government. Look, I was one of the victims of the OPM breach, 21 million records. There’s some Big Data, right? How come we couldn’t detect it? Because the systems were friggin’ ancient, James. I mean, these things, I think, were built by our ancestors when they came over on the Mayflower, because there was no encryption. So, I mean, if you look at the major failures that have happened, a lot of this happens because we forget the fundamentals. It’s like football, we forget the fundamentals. What’s fundamental in football? Blocking and tackling. We wanna do all of this fancy stuff, everybody, I think, wants to show their ninja skills. My chi is good, I can do all of these fancy things. And they get so enamored with themselves they forget what they were there to do. And what they were there to do in the first place is to make sure this information is safe, it’s secure. It does nobody any good when you have to spend, on average, $7 million to recover from a significant data breach.

James: So Morgan, one of the things I wanna do, and I think that ties up so much of what we’ve talked about, right? And I think it just weaves in so nicely with a lot of our other episodes, so a lot for our audience to learn. I would imagine that they would probably love to either learn more about you or follow up with you, or just sort of be connected to what you’re up to. So for our audience out there, where are we going to find out more about you? How do we stay in touch?

Morgan: So a couple easy ways. Number one, I’m on LinkedIn, you can look me up, Morgan Wright. I’m one of the very few Morgan Wrights on LinkedIn. My Twitter, @morganwright_us. And then I have a couple different sites, too. My professional site is morganwright.us, that’s where I do my strategy work, my speaking engagements from. And then I’ve been toying with a thing called identity security, so it’s kinda my approach to, it’s how to secure the human. How do you secure the environment by focusing on the people and the basics. So that’s called identitysecurity.com. And you can normally catch me, if you Google me, you’ll see some of my appearances on several of the networks and stuff. And so, I mean, you can see, hey, if I’m full of it just write me and tell me I’m full of it, but look. If I can be of any help to you, James, and to your audience, I’ll be out at the World of Watson, like I said, at the end of October in Las Vegas. If anybody’s out there, look me up. If you’re in the DC area I’ll be doing some stuff at AFCEA, kinda the military-industrial complex cybersecurity forum that’s gonna be happening the second week of October, I believe. But any time I can be of any help, hey, just reach out, let me know. If you can’t find me on the Internet, you’re not trying hard enough, I’m out there.

Posted on October 5, 2016 by James Haight