Security Think Tank: Humans still at the heart of information security

What is the best approach to automating information security?

At some point in history, people no longer had to place their clothes in washing tubs and then dry them on a line. There was the automatic washer. But did the washer separate the clothes, place them in the washer and wash them, then take them from the washer to the dryer and dry them?

Let us now transition to automated information security and realise that no application currently exists that will automatically secure your computer, network or general infrastructure. 

The best you can hope for is for an application to monitor your security, ensuring that your infrastructure is secure at any given moment. But at the heart of this is the human being. Monitoring is one thing; correcting is another. 

At one point, there were network monitoring tools that could control the services on the operating system, page the operator, and even correct some errors. But, as a person who relied on these systems daily for infrastructure stability, I found it was the operator that did most of the job. 

In spite of automated systems – that is, systems that monitor the security of the machines – there is nothing that can substitute for 24/7 human interaction with the machine. The best tools to use to help the human operator would be those that monitor the major functions of the machine. These include the operating system services, user access, and any malware that should be in the periphery ready to enter the main OS.

Tools like this exist, using a hybrid of anti-virus and network monitoring. However, these are still best used in conjunction with human intervention. 

The reason that business is not reliant on so-called “automated” processes is that the automated process has no stake in the outcome. I once worked for a business that could lose $10,000 of profit every minute when the IT system went down. Unless an automated security company is willing to compensate the business for that loss, including the loss of reputation, the usefulness of the automated process is no longer worth the cost. 

When a company is no longer reliable, it does not matter if the automated security process can repay the company – can it rebuild reputation? So, the question is this: “Can an automated security process replace a human who has a stake in the reputation of the company, and will be irreversibly hurt should that reputation be damaged?” The answer is no.

Chris Greco is a member of (ISC)2 and has been an IT project manager in the US federal government and private industry

Read more on Hackers and cybercrime prevention