There are two recurring themes in security that we continue to discuss, debate and, quite frankly, struggle with—automation and the talent gap.
I’ve written about both topics from many angles and now, as the industry becomes more focused on automation as a cornerstone of effective security, the secret to making meaningful progress in both areas is to leverage the symbiotic relationship between them. In other words, using automation to make your people more efficient, and using your people to make automation more effective. It requires a balanced approach where repetitive, low-risk, time-consuming tasks are prime candidates for automation, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work.
The good news is that senior cybersecurity professionals at companies in the U.S., U.K. and Australia say they have become more confident in automation over the last year, with 84% reporting (PDF) some level of trust in outcomes versus 55% last year. However, challenges with implementing automation persist, including technology complexity (21%), skills shortages (17%) and a lack of management buy-in (17%).
Complexity: Most organizations have numerous security teams, each with their own set of security technologies from different vendors, and they bring in their own third-party data and intelligence sources. Overlaying automation on a heterogenous environment compromised of multiple legacy toolsets is a huge integration and management challenge. A fear of breaking something or being burned when machines quarantine a system or block a port on a firewall in error can be showstoppers for many teams considering security automation.
Skills shortages: Related to complexity is the skills shortage which, exacerbated by the pandemic, grew by 26.2% (report) over the past year. Organizations don’t necessarily have the expertise to identify where to apply automation and how to deploy and use it to accelerate and simplify certain tasks and processes. While intellectually we know that automation is a key component to enhance productivity, increase retention and reduce burnout of analysts, it’s hard to figure out how and where to start and find tools that simplify setup and use.
Lack of buy-in from management: There is a disconnect between CISOs and their teams in terms of organizational maturity and the ability to reap the full value of automation. Despite rolling up to the same person, teams typically have their own budgets, areas of responsibility and priorities. These silos make it extremely difficult to get the financial investments and make the structural and cultural changes needed to implement automation cross-functionally.
So how we do get to a state where we are improving the effectiveness and efficiency of cybersecurity automation and your scarce, highly skilled human resources? Here are three recommendations:
1. Simplify complexity and address skills shortages by adopting cybersecurity automation platforms with low- or no-code interfaces. Solutions that provide choice of no code through a simplistic playbook builder, as well as the option to code using standard formats like JSON or YAML to support more advanced requirements, can make automation accessible to a range of users with varying skill sets. When skills are not available or cannot be developed in-house, look to Managed Security Services Providers (MSSPs) or Managed Detection and Response (MDR) providers who place importance on cybersecurity automation to manage high volumes of data and alerts on behalf of customers and to leverage insights rapidly and effectively.
2. Remember that automation spans a spectrum from simple, atomic-level tasks to complex, multistep playbooks with built-in decision logic. It’s important to choose a cybersecurity automation platform that offers an easy entry point and at the same time accounts for the full range of use cases and requirements as your program matures. For instance, starting with automating discrete actions that are executed directly or from a simple playbook, such as the creation of a ticket or an investigation based on certain event criteria or data-driven thresholds being met so that analysts can work more efficiently. However, when events are not obviously bad, workflows can be adjusted so that an analyst can review the event details. Should they determine there is some action to take, specific actions can be launched automatically, such as blocking all outbound requests to a bad URL that this hosting malware and launching a scan of all systems that have visited it.
3. Gain management support for automation by defining clear metrics for success and measuring progress along the way. Automating time-consuming tasks drives measurable security gains. Using spear phishing as an example, quantitative metrics may include time to triage, attribute and protect against spear phishing attacks. However, automation is arguably an equally important benefit for employee well-being. So, balance the quantitative impact with qualitative factors including employee satisfaction and retention to assess the ROI of automation programs. By allowing automation to shoulder the burden of manual monitoring, identification, triage, and prioritization, analysts can focus on more rewarding higher value activities. This reduces the prospect of burnout or boredom and eliminates the risk of errors resulting from either state. In an employment market where retaining employees is becoming a core challenge and the cost of churn in security teams is significant, using automation to make life more fulfilling is paramount.
When we start to consider the human element of the security automation equation, and its impact on the automation capabilities we select and how we measure progress, we can accelerate automation initiatives and the benefits we derive. Next time we’ll look at the other side of the security automation equation: implementation.
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.Previous Columns by Marc Solomon:Tags: