- Forrester Councils
- Councils Overview
- log in
Posted by Robert Whiteley III on December 2, 2009
I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .
I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting — both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).
Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding:
But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.
And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.
Sure, we see pockets of automaton in information security. I’ve seen:
I’m sure I could come up with more if I dug a bit deeper, but it seems to me that the majority of examples I do come up with either focus on monitoring (which isn’t a particularly powerful automation concept) or build on infrastructure and operations automation, as with BC/DR.
So why isn’t automation more prevalent in information security? I recently posed this question on twitter and @dbanes responded with “Probably 'cause it's nearly impossible to automate solutions to manually crafted attacks.” Good point, but I still think information security is a service-oriented function, much like infrastructure & operations. I would expect to see a lot more automation to tackle inefficiencies around security policy management, metrics and reporting, rights management, etc.
I’ll leave you with a pearl of wisdom from Glenn: “Be the automator, not the automated.” Although CISOs have done a good job of shedding many operational responsibilities, there are still a lot of lessons to be learned from other IT disciplines on how automation can produce a leaner, more efficient information security organization.
Am I missing something? Let me know your thoughts on automation and when and how it applies to information security practices.
[posted by Robert Whiteley]
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »
Free On-Demand and Live Events
Latest events from Forrester analysts, online and in person. »