Weissblick - Fotolia
I’m all in favour of good process. Process makes life easier and increases efficiency – who doesn’t want that? I’m also in favour of getting things right and making sure the process has been clearly and carefully risk assessed, planned and tested before it is documented. Only then does it stand a chance of becoming automated successfully.
The key fly in the ointment of automating security basics I can see is that there is widespread evidence pointing to a lack of security basics in many organisations. Look at VTech and TalkTalk. Or the vulnerability found in Cisco routers that was largely unaddressed by users. It is common place, according the National Cyber Security Centre (NCSC), for vulnerabilities well over a year old to be exploited in attacks, and we are talking about automating basic security processes?
So let’s talk about process engineering. Basically, there is no point documenting what you are doing, unless you know for a fact what you do is the best possible process because you could be documenting bad practice. Once you have created that process, then that bad practice becomes the embedded process, which then becomes part of your “automated basics” set. Potentially, you have created even more vulnerability.
Now, of course I would never suggest that once you think you have a process right, that you should leave it, as if cast in stone. It needs to be reviewed regularly and potentially refined, as the threat landscape changes. But having to wholly re-engineer a process to correct it once in place, is a much bigger task than regular maintenance and review checks.
I have significant concerns about organisational laziness. My perception, based on experience as well as what I read every day in the news, is that the main desire is to do things easily or with as little effort or investment as possible.
The route of least resistance is only that. It is not the route to success, and nor will it stop an organisation from falling off a security cliff. Automating that kind of attitude is not going to help.
Furthermore, I do worry about masking another issue. I hope this is not ultimately a smokescreen when it comes to investing (or not as the case may be) in the next generation of security practitioners; instead of meeting the challenge of the skills gap.
Read more about security automation
- How can organisations evolve their security operations teams to do more automation of basic tasks and cope with dynamic IT environments?
- The UK government is starting to put bodies behind its AI commentary as two departments announce job roles.
Are we trying to hide it with this kind of solution? The skills shortage needs addressing, period. While automation could be great, it would be a sticking plaster on the broken limb that is the skills gap.
In summary, I agree that automation as a way of streamlining of security processes can be of benefit to an organisation, but only once you know your basic security processes are good enough to start with. As always, buyer beware of any technology suppliers offering you those magic beans. Invest in haste and you may well regret it for a long time to come.