When the topic of automation was first introduced to the security industry, it was often in the same breath as the threat it posed to job security. However, increasingly the
conversation has turned to automation's potential benefits, which include making process more efficient and easing the challenges of resourcing by freeing up staff from manual tasks.
Earlier this year, I hosted a Leadership Forum for CISOs, discussing where the value of automation really lies for cybersecurity professionals. Here are my key takeaways:
"It's not Artificial Intelligence. You're only automating the most basic tasks - it's Artificial Stupidity."
Across virtually every place automation is being used, its real value comes from improving efficiency of process by automating manual and often boring/repeatable tasks.
This generally holds true in security. Where automation is occurring, it’s often with tasks that before would require a significant amount of human labour – like sifting through tickets - with a central goal of streamlining processes.
Although there was some discussion of automation in more complex processes like risk assessment / threat-hunting, attendees were generally sceptical about the success of tools which claimed to do this comprehensively.
In particular, there was an almost unanimous reluctance to automate actual response or decisions which an individual will still be held accountable for.
Are we really “doing” automation?
Consensus was that security professionals are tending to automate in vertical silos rather than laterally across end-to-end process.
As well as a reluctance to relinquish control whilst maintaining responsibility, there were also attendees who were yet to find tools which really matched their business requirements, so were reticent about becoming swept up in the excitement of automation. Instead, they preferred to try and retrofit processes around their tools.
While regulators are yet to catch up with automation, most businesses will probably remain reluctant to commit to it fully for fear of ending up as the pinup legislative case study.
However, as one attendee pointed out, it’s rare for major changes to happen in anything other than increments. If you continue to automate every tiny step in a process, eventually you do have end-to-end automation. Though most are certainly a way off from reaching this.
Automation doesn't destroy jobs: it makes people more valuable
The current value of automation is to make your human resource more effective, by freeing up their time for higher value activity: a major boon in a notoriously talent-short market.
This will of course, change the nature of the work which the security team carries out. Automation is aiming to automate actual decision making, but you still need people to oversee tasks and make judgement calls. Automation still can’t respond to risks, or identify patterns and draw conclusions from sets of reporting data.
One attendee raised the point that the more we automate aspects of a process, the more we’re sacrificing our understanding of that process – which could have consequences. Originally, an entry-level security role would involve learning a process by carrying out all of its manual stages, now automation could mean those in the early stages of their career are missing out on this experience. He spoke anecdotally about an analyst who had recently joined his team from a bigger organisation where they had used tools to carry out a risk assessment. When faced with the task without the tool in their new business, they couldn’t do it.
Conversely, others noted that stepping further away from process might be the logical next step in the evolution of the cybersecurity team, whose exact role has never been a constant. “Not too long ago security teams were expected to deploy and manage firewalls. Now no one does that.”
Depending on how you define it, in many ways automation is just the next step in doing what computers have always helped us do: aggregating or categorise information to free up time.
From the discussion, I think it's unlikely that CISOs will be relinquishing control and automating their response for some time, and those in the community will tip their hat to the person who does and wait to see what happens to them before taking the plunge.
If automation does have potential to free up valuable resource to mitigate risk though, then forums like this are a good opportunity to share non-competitive knowledge for the good of the industry.
I’m Ross, Head of La Fosse’s Information Security Practice. If you’d like to get in touch to learn more about this event, or how our security team can help you, get in touch: firstname.lastname@example.org.
If this blog was interesting, read these other blogs on Information Security here.