Modern security teams are facing more threats than ever, as well as more pressure to provide business value. Katell Thielemann, VP Analyst at Gartner, tells us why it’s so important that CISOs consider automation tools to balance security with efficiencies.
Security and risk leaders must explore automation to provide increased business value and maintain security standards.
When Amy, the CISO of a healthcare provider, looked at cloud security across the enterprise, she realised the default access control models were creating a variety of access issues. BeWell’s Infrastructure-as-a-Service (IaaS) providers defaulted to a secure state, allowing only the owner access.
On the flip side, Software-as-a-Service (SaaS) providers defaulted to totally open access. With multiple clouds in use, it would be impossible for Amy to manually relax permissions for IaaS and ensure adequate controls for SaaS. The solution? Automation.
No longer are we asked a singular question, ‘how are you providing security and managing risk?’. We are now asked a more complex question, ‘how are you helping the enterprise realise more value while assessing and managing risk, security and even safety?’. The best way to bring value to your organisation today is to leverage automation.
The impact of automation
Automation is already impacting the world in two ways, first, as an enabler to the security and risk function and second, as new security frontiers that need to be acknowledged and understood.
As pieces of the business begin to adopt emerging technologies ranging from the cloud to Blockchain to digital twins and immersive technologies, CISOs like Amy will find themselves overwhelmed with priorities.
According to Beth Schumaecker, Director, Advisory, Gartner, “Other business units are likely building solutions without consulting those of us in security. This means they are making technology-related choices every day, often without realising the risk implications of what they are doing.
“The consequences of these business choices – choices over which we have no control and do not always see – can be huge, especially as the potential for digital business continues to grow.”
As Digital Transformation alters security needs and necessary skill sets and competencies, it creates new talent gaps that are difficult (if not impossible) to fill.
Automation in the business
Many automation tools are ad hoc; others formally automate key parts of a process. Some tools use one technique, while other types of automation utilise a handful of techniques. For example, robotic process automation is best suited to task-centric environments and predictive analysis that uses predictive modelling, regression analysis, forecasting and pattern matching to answer the ‘what is likely to occur’ question.
Some companies will use automation to reduce costs, standardise or increase productivity. Others will use it to improve the quality and consistency of risk controls, while reducing error caused by humans. Organisations will also use automation to increase speed or agility.
CARTA is a key enabler
Regardless of how automation is being used, security and risk leaders can no longer depend on traditional security approaches. Continuous adaptive risk and trust assessment (CARTA) is a strategic approach to security that acknowledges there is no perfect protection and security needs to be adaptive, everywhere, all the time.
“We need to consciously take an adaptive approach to automation that minimises the risks to our organisation while helping it reap the rewards,” according to David Mahdi, Senior Director Analyst, Gartner. “We must balance risk and trust adaptively to navigate our place on the automation continuum in order to deliver value.”
Automation does add risk. For example, algorithms can include implicit and explicit bias by a creator, or algorithms on untrusted operating systems could be unknowingly controlled by outside parties.
Any automation choice must be conscious and adapted to the current situation, as well as adaptable to the future.
But, if done correctly, automation can also be hugely beneficial to the security team and business.
Deliver value with automation
Security and risk professionals must deliver value using automation in three areas: Identity, data and new product or service development.
Identity is the foundation for all other security controls
Decisions regarding identity should always remain within the control of security and risk teams. This becomes even more important as businesses increasingly move to cloud environments. As systems and companies become more complex, relying solely on multiple passwords for identity confirmation becomes difficult and risky.
Consider using an intelligent risk engine to automate certain parts of the process. A CARTA approach to identity will be key to ensuring that the risk engine isn’t too relaxed or restrictive, but also works for the user.
Data is where much of enterprise value resides
Businesses are data generation powerhouses. Failing to protect and watch data can be costly – and can, in fact, harm an organisation’s value.
Review the access control models for any Infrastructure-as-a-Service and SaaS applications and consider using a cloud access security broker (CASB) to identify and classify data and files. Use a CASB in combination with enterprise digital rights management to extend controls over the entire enterprise, regardless of where the data lives.
New products or services development is a focus for companies
Companies are developing new products and services to gain competitive edge and are leveraging emerging technologies, which are highlighting new business opportunities. With an increasing need to go to market faster, DevOps processes can run afoul of security protocols. Automation can help achieve the ultimate goal of DevSecOps, where security is built into the beginning of the process with no negative impacts.
Consider automation options such as interactive application security testing, a machine-based solution that enables you to observe the behaviour of an application from the inside. Your team can then piggyback security testing onto the quality assurance testing and avoid using a single security test case.
Within these mission-critical priorities, security and risk management leaders must prioritise what they want to handle, what other teams can reasonably do and what doesn’t warrant time or attention. Security teams must also consider how automation can be integrated into systems and how it can reasonably be used within a CARTA approach to security.
“To orchestrate and champion value protection and empower value creation, our job is to recognise and manage the tension, and find our place on the automation continuum,” Mahdi added.
Click below to share this article