Security Think Tank: Automation requires management, monitoring, governance

What is the best approach to automating information security?

There are many tools that professionals can use to automate information security processes. These tools and processes include antivirus, firewalls, security/network event logging, intrusion detection and vulnerability scanners, self-service password systems, identity and access controls, patching and many others. However, all of these require management, monitoring and governance.

Managing these tools/processes is time-consuming and can lead to human error. In spite of many organisations using automated security tools individually, there has been limited success at connecting multiple systems to provide a clearer view of information security across the enterprise.

The benefits of automation include less manual intervention, reduced overheads in managing applications and faster identification of vulnerabilities, threats and incidents. When considering automation, some initial steps include:

  • Obtain senior leadership/stakeholder support and budgets
  • Understand and classify the organisation’s most important information assets
  • Establish a baseline for existing (‘as-is’) controls
  • Identify gaps or deficiencies in the ‘as-is’ state, define desired ‘to-be’ state
  • Develop tactical and strategic plans to address quick wins and a long-term vision
  • Create a prioritised list of controls to be automated.

It is important to note that when considering and applying the above steps, business risk should be at the foundation of each decision.

Common obstacles to automation include the human element, such as lack of awareness and a need for training and behavioural change. There are also challenges to recruiting or developing existing staff with the appropriate skills and technical capability to manage automated systems.

There are a number of information sources available to help organisations – for example, the Information Security Forum (ISF) Standard of Good Practice (which highlights 118 control topics) and SANS 20 Critical Security Controls. These references can be used to baseline existing controls and identify opportunities for automation that can more effectively manage business risks.

Indy Dhami is a principal research analyst with the Information Security Forum (ISF).

Read more on IT risk management