In the security world, there is a truism that defense (protecting systems) is harder than offense (breaking into systems) because it’s an asymmetric playing field. The bad guys need only find one path into an environment — one place where everything hasn’t been done exactly “just so” and perfectly — while those charged with securing that environment need to protect against intrusions everywhere they have a technology footprint.
It doesn’t stop there — the asymmetry is apparent in other respects as well. For example, a large percentage (if not all) of a company’s staff members go home at night. They may not watch the environment as closely on the weekends or on holidays. Attackers, on the other hand, can operate from wherever, whenever (be it 5 p.m. on Friday or 2 a.m. on New Year’s Eve), and they can target any place in an environment or even multiple places as once.
There are situations that compound this effect. For one, there is a skills gap among security professionals, data suggests. For example, 55 percent of the organizations responding to a recent survey said that it took them at least three months to fill open security positions, according to ISACA’s State of Cybersecurity 2017 report.
For 32 percent of enterprises, it took six months or more. Likewise, 37 percent of those surveyed said that fewer than one in four candidates had appropriate qualifications for the positions they wanted to fill.
The point is, there’s an unevenness about security — as a discipline — that makes it asymmetric and therefore difficult to do well and consistently. This unevenness is compounded by challenges in acquiring staff and acquiring tools, and the fact that the threat landscape is evolving constantly.
This in turn means that organizations — and the security and assurance practitioners that support them — need to up their game in terms of how they approach security if they intend to level the playing field. It means, in short, that they need to automate.
One strategy that organizations can use to help offset some of the inherent asymmetry in keeping technology secured is to make extensive use of automation to support security practices.
Why automation? There are a few reasons. First, there is the obvious one. To the extent that you can automate a task, you can “cheat the resource curve.” That means if you’ve automated a task, you don’t need boots on the ground for the work to get done — you can redeploy that staff to some other task.
That’s pretty straightforward, but there are additional benefits — notably with respect to the resiliency of process. In the security world, we don’t often think about it this way, but security measures are not immune from the physics that impact generic processes.
For example, processes can be more or less resistant to staff turnover (attrition). If you have, for example, someone who is conducting threat analysis for you (think internal threat intelligence and analysis), and that person leaves to go to your competitor, what happens to your ability to perform that task in the three to six months it takes to replace the employee? In the best case scenario, it makes the work of the rest of the team harder. In the worst case example, if the team was a team of one, you can’t perform the analysis until the person is replaced.
There is alsothe question of optimizing overhead. To some degree, the nature of how we buy and deploy automated tools can insulate us from events that might be out of our control.
For example, a tool is a sunk cost. Sometimes organizations need to make cuts. To maximize the return on investments already made, you need to continue using that tool throughout its depreciation cycle to fully realize the value. Staff, frankly, are easier to cut. So, compared to manual controls, an automated control potentially is more resilient when voluntary attrition or staff turnover occurs, and better insulated against budget reductions.
Where to Start Looking
The point is that automation of security tasks can have advantages across a few different dimensions. For the practical-minded security manager (or other technology leader), the question becomes not whether to do it, but how to do it — and where to find opportunities.
There are a few options, but automation involves reviewing your security program in a way and from a perspective that might not be how you naturally think about security. Specifically, it involves understanding, in order of increasing complexity: what specific controls you have in place; what they do; how they’re operated; the costs involved in using them; and what you’re missing, based on your overall risk profile.
As you can see, there is a maturity spectrum here. Pretty much any organization should know what controls it has deployed (granted, some don’t, but in that case, they have bigger fish to fry). However, only the most mature are likely to have assessed their risk profile, and the threat landscape that helps comprise it, in a useful, ongoing and systematic way.
The point is, the extent of your examination will be based on these elements in accordance with where your security team falls on this spectrum.
For organizations that are less mature, a useful starting point can be using their existing inventory of controls to look strategically for areas of potential automation investment.
Those that can tie together method of operation (who is doing it and how) can fold in that information. They might inform their analysis based on staffing considerations (who’s hardest to replace), skills those staff members have (what they can otherwise do if an automation investment is made) and so on.
When folding in cost to operate controls as a consideration, opportunities to realize cost savings can influence the analysis. Also, a comprehensive understanding of risk can factor in analysis of risk offsets relative to dollars.
At the end of the day, though, the question isn’t necessarily whether you automate control X or control Y. The specifics will vary based on what type of organization you are, what you do, the industry you operate in, and what your needs are. The point is that you realize how automation plays into your security strategy — and that you realize that how you implement a given control can be just as important as whether you implement it.