Setting the Right Pace to Embrace Automation
I’ve rewritten this intro countless times. Not because what follows isn’t important, but because I’m breaking my own rule – don’t have people with marketing titles write industry blogs. If you’re still here, I’d like to buy you beer. When I stumbled into the information security industry, I loved it immediately — I found my people. But I also found that a lot of industry content, likely written by people like me, centered around ambiguous recommendations that weren’t necessarily wrong in their conclusions but lacked nuance, context, and quite frankly, value. Oh, speed is important to security? Especially now that a ton of companies prematurely adopted cloud technologies because of a global pandemic? You don’t say. (This isn’t the only challenge I’ve seen oversimplified, but it is the one that’s interested me most recently).
I mean, it’s true that security teams protecting the cloud must move faster. However, this reality gives a lot of practitioners heartburn because, let’s face it, speeding up security is a challenge that’s exacerbated by the cloud — a less tangible and exponentially more accessible environment. And although security has no doubt accelerated and improved, it does not yet keep pace with the speed of DevOps.
Business users can’t – and won’t – slow down to accommodate traditional security practices. And that means traditional security practices must evolve by embracing automation. Although the buzzword “automation” is discussed broadly as serving one main purpose (i.e., to make machines do what humans have historically done manually), this will mean different things to different stakeholders. While company leaders take a 30,000 foot view, looking at automation through the lens of business ROI, as you get closer to operations, assessing automation needs become more tactical. Security leaders like CISOs don’t necessarily focus on individual automated technologies like practitioners do, rather how to accelerate response and improve efficiency of protecting critical data. To meet the needs of the team and the business, security leaders are asking:
- Are there tools that can fill skills gaps on my team?
- How much time can the automation save me, so I can reallocate resources to problems better suited for humans?
The good news is that automation isn’t all-or-nothing. Implementing appropriate and trustable automation enables security to match the pace of activity in their cloud infrastructure. Ultimately, sustainable success requires alignment about how automation will be used.
Cultural Shifts to Secure Your Cloud
Cultural discussions around technological evolution face predictable resistance. “Culture” sounds squishy — sometimes viewed as trivial office politics that create bottlenecks and extra work. Except when transforming business and technology, organizational culture is crucially important if the initiative is to succeed. Cloud computing is disrupting and transforming not only security, but business overall.
DevOps serves as a great example. DevOps isn’t a switch you flip that instantaneously reshapes how you develop and deploy software, nor is it a standardized methodology. Companies that built DevOps programs did so with intention, planning, and pacing. Adding automation to your security program — especially in the cloud — is similar. It doesn’t happen in a vacuum. It starts with and should be informed by cultural shifts and business requirements.
Automation Isn’t One-Size-Fits-All
Devs teams are moving faster, potentially creating more risk for the business. As such, security teams must consider how and where automation will make the most positive impact and mitigate risk. Can automation improve collaboration? Can it help simplify cross-functional communication? Where can it add context to help with prioritization? Can it take care of fixing issues found in the cloud?
Think about something like alerting the appropriate team members about security issues in the cloud. How much time is wasted trying to identify the right contact? Who is responsible for prioritizing which issues require immediate attention and which can wait? Who is empowered to actually make the changes? And if these processes aren’t in place, how much time could be saved by automating alerting with context and prioritization that distribute automatically to the appropriate people?
Security automation should move in lockstep with the business, not the other way around. With a cloud security operations tool like DisruptOps, you can start with read-only cloud integration. Read-only enables you to leverage DisruptOps’s continuous monitoring, automated distributed alerting, and ticket creation without requiring elevated privileges. As your program evolves, you can add write permissions in the cloud accounts. This gives you the option to take single-click remediation actions directly in your cloud environment.
Automated, Not Automatic
Sweeping and unrealistic claims about security automation create frustration for those of us who understand the downside of automation run awry. The truth is whether a threat actor takes down something in your infrastructure or it’s an automated security tool, the outcome is the same — your stuff is down. How can you speed up security without inadvertently interrupting the business?
Since we have to view everything through the prism of the business, we need to evaluate risk to the business. When it comes to automation, here are a few things to think about:
- Assess and decide how your security needs to function in the cloud — you’re not building systems; you are protecting them. How does it need to work alongside DevOps?
- Plan your process and then figure out what you can accelerate with automation. Then evaluate how much risk your company will accept to achieve greater speed and effectiveness?
- In the cloud, security doesn’t typically own infrastructure, and the security team is rarely empowered to make changes. How can you remove friction between security and DevOps teams to get security issues fixed and fixed faster?
- Automation doesn’t have to mean automatic. Certainly not at first. How can it help you find and fix issues without surrendering all control to our new robot overlords?
If you take only one thing away from this, let it be this: automation is critical to security, but you can (and arguably should) embrace it at the pace that makes sense, considering your organization’s culture and risk appetite. If you take two things away from this, consider a cloud security operations tool that meets you where you are, whether it’s just communicating issues to responsible parties or automating the remediation of misconfigurations and attacks, or anywhere in between.