Note To CISOs: Be the Automator, Not The Automated

Rob Whiteley

I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .

I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).

Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding: 

  • Business Technology (BT) architecture redefining how we define IT services
  • Cloud computing and virtualization redefining how we build IT services
  • Automation and ITIL redefining how we run IT services

But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.

And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.

Sure, we see pockets of automaton in information security. I’ve seen:

  • GRC. Enterprise GRC platforms help automate risk and compliance management. They build on one of the key tenets of automation: visibility across silos of information and assets.
  • Security operations. Tools like firewall management and security information management (SIM) help automate monitoring and maintenance of basic security operations tasks.
  • Business continuity. Many organizations have automated disaster recovery processes. For example, mission critical systems automatically failing over from a primary to secondary data center.

I’m sure I could come up with more if I dug a bit deeper, but it seems to me that the majority of examples I do come up with either focus on monitoring (which isn’t a particularly powerful automation concept) or build on infrastructure and operations automation, as with BC/DR.

So why isn’t automation more prevalent in information security? I recently posed this question on twitter and @dbanes responded with “Probably 'cause it's nearly impossible to automate solutions to manually crafted attacks.” Good point, but I still think information security is a service-oriented function, much like infrastructure & operations. I would expect to see a lot more automation to tackle inefficiencies around security policy management, metrics and reporting, rights management, etc.

I’ll leave you with a pearl of wisdom from Glenn: “Be the automator, not the automated.” Although CISOs have done a good job of shedding many operational responsibilities, there are still a lot of lessons to be learned from other IT disciplines on how automation can produce a leaner, more efficient information security organization.

Am I missing something? Let me know your thoughts on automation and when and how it applies to information security practices.

[posted by Robert Whiteley]

Comments

re: Note To CISOs: Be the Automator, Not The Automated

Thought provoking...I must say I like @dbanes's response. One thing I do know is that automation reduces time and money spent on IT security initiatives and makes the IT dept. and an organization so much more lean and efficient.However, with everything there just has to be a balance. I think of the cruise control on our car, despite having it we must keep at least one hand on the wheel, and be ready to brake at any given time. So we can automate the controls, risk assessments, technology audits, policy dissemination, policy review, and reporting but we must always have one hand if not two on the wheel. We can never get away from the human risk factor, not just externally but I dare say internally as well.

re: Note To CISOs: Be the Automator, Not The Automated

Great comments. I completely agree that automating is not about giving up control, but just streamlining waste. To your car analogy, think how painful it would be if computing fuel injection, monitoring all of your fluids, and applying breaks where all tasks you had to do manually!I think the key is understanding what in information security has evolved from art to science and then automating as much of the science as possible.

re: Note To CISOs: Be the Automator, Not The Automated

Following on the Garland Group comment, you could easily say that GRC and SIM are deployed primarily for compliance--I'd include management tools there also because of the savings-- and companies are stuck with a lot of manual processes because they HAVE to do something, so automation makes good business sense. The BC/DR observation speak to the early notion of availability as a key element of security, but again, there's compelling business need as well. I wonder if most organizations have a lot of faith in automated responses, such as IPS or DLP blocking bad stuff except for the most obvious use cases.

re: Note To CISOs: Be the Automator, Not The Automated

Rob,You say in passing that "CISOs have done a good job of shedding many operational responsibilities", but I think this is key to answering your question. We at IREC find that CISOs claim the opposite, with more and more claiming ownership of operations: http://irec.wordpress.com/2009/08/20/should-cisos-own-operations-or-just-policy/ .The disconnect between what you said and what they say comes down to what comprises "operations." Security functions are increasingly taking hands-on ownership of complex aspects of operations (which cannot be automated), while devolving the easily automated to the infrastructure function. So, there have been gains from automation (and standardization, etc.), but they quickly fade from Security's view. This is because the security function is specialized in this sort of complexity, and as such, will probably never really benefit from automation.

re: Note To CISOs: Be the Automator, Not The Automated

To us, as we try to figure out for our clients when is the right time to automate or just streamline the application workflow, we always end up finding out that this has to do with an organization's culture than anything else. Without the company understanding on how compliance fits in the business it often becomes the reactive action many people see.I was listening recently to Pixar's co-founder Ed Catmull talking about risk management for his organization and he said something that really struck a chord with me. He said, "We're supposed to be taking risks. We don't think of risk management as minimizing risk (that's how creativity dies) and instead to do risky things and when they do in unexpected ways, figure out ways to respond to it."That's a choice their organization has made about its culture that defines it. We believe all organizations (whether creative or not) should be asking themselves the same question. The rest falls into place.

re: Note To CISOs: Be the Automator, Not The Automated

To Jeremy: We do see CISOs shedding some operational responsibility, but certainly not all. I think the key is, as you allude, where in particular do they still own the operations. It's not necessarily complex areas, but rather those that are less mature (which is correlated with complexity) and peer IT functions are not comfortable assuming the responsibility. For example, we find many CISOs still have operational responsibility for identity and access management (although that's a fascinating topic unto itself), application security, and are ramping up on operational responsibility for data security trends. It's the infrastructure (network, server, desktop, etc) where there is the highest portion of offload. In fact, in our Q3 survey of more ~700 security execs we found that at least 23% or more were “fully responsible” for all security operations. But in areas like technical infrastructure security, 43% are fully responsible for the operations – but this is trending downward year over year.So with that said, I do agree with the conundrum that things that can be easily offloaded are those most suitable for automation. However, I still maintain that CISOs need to focus on efficiency and determine what can be further automated. For example, we see a big resurgence in IAM deployments with automation as the driver, even though security groups own it. Why are others provisioning and policy enforcement areas not seeing equal traction in automation? What is IT risk management (clearly still a CISO topic) still a highly manual art?

re: Note To CISOs: Be the Automator, Not The Automated

To Brad: Great comment regarding culture. We did a pretty deep dive on how information security and risk programs differ (for example: do they tend to differ by industry, size, geography, organizational reporting structure, etc). We found that company culture – especially towards security and risk – was the second most important factor, right behind how heavily regulated the company is. It far eclipsed size and even geography in terms of importance. Perhaps therein is the key to automating. Figure out how much the individual users are willing to take on and automate by offloading to responsibility to them! This coincides with the fact that user awareness and training is still one of the top perennial CISO concerns.

re: Note To CISOs: Be the Automator, Not The Automated

Also, @rybolov on Twitter pointed me to SCAP: http://scap.nist.gov/. Not sure if anyone has any opinions on the traction and value of the protocol relative to our discussion.