Note To CISOs: Be the Automator, Not The Automated

Forrester

Dec 2 2009

Rob Whiteley

I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .

I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting — both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).

Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding:

Business Technology (BT) architecture redefining how we define IT services
Cloud computing and virtualization redefining how we build IT services
Automation and ITIL redefining how we run IT services

But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.

And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.

Sure, we see pockets of automaton in information security. I’ve seen:

GRC. Enterprise GRC platforms help automate risk and compliance management. They build on one of the key tenets of automation: visibility across silos of information and assets.
Security operations. Tools like firewall management and security information management (SIM) help automate monitoring and maintenance of basic security operations tasks.
Business continuity. Many organizations have automated disaster recovery processes. For example, mission critical systems automatically failing over from a primary to secondary data center.

I’m sure I could come up with more if I dug a bit deeper, but it seems to me that the majority of examples I do come up with either focus on monitoring (which isn’t a particularly powerful automation concept) or build on infrastructure and operations automation, as with BC/DR.

So why isn’t automation more prevalent in information security? I recently posed this question on twitter and @dbanes responded with “Probably 'cause it's nearly impossible to automate solutions to manually crafted attacks.” Good point, but I still think information security is a service-oriented function, much like infrastructure & operations. I would expect to see a lot more automation to tackle inefficiencies around security policy management, metrics and reporting, rights management, etc.

I’ll leave you with a pearl of wisdom from Glenn: “Be the automator, not the automated.” Although CISOs have done a good job of shedding many operational responsibilities, there are still a lot of lessons to be learned from other IT disciplines on how automation can produce a leaner, more efficient information security organization.

Am I missing something? Let me know your thoughts on automation and when and how it applies to information security practices.

[posted by Robert Whiteley]

Get The Insights At Work Newsletter

Country*

Yes, I’d like to receive Forrester’s Insights At Work newsletter and receive occasional survey invitations and marketing communications.

Thanks for signing up.

Stay tuned for updates from the Forrester blogs.

Categories

Get The Insights At Work Newsletter

Thanks for signing up.

Don’t Miss Our 2024 Predictions Deep Dive

Hear directly from the tech, CX, and B2B analysts behind our 2024 global predictions and get an important generative AI update from Forrester’s CEO, George Colony.

Introducing The Sustainability Management Software Landscape Report And Forrester Wave™ Evaluation

Introducing The Forrester Wave™: Workday Services, Q2 2024

Get The Insights At Work Newsletter

Thanks for signing up.

Help Us Improve