Rob Whiteley

I’d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .

I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn “Automation” O’Donnell. His research on IT automation is extremely interesting both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set — or risk obsolescence).

Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it’s never going back. He was distilling the result of three IT macro-level events colliding: 

  • Business Technology (BT) architecture redefining how we define IT services
  • Cloud computing and virtualization redefining how we build IT services
  • Automation and ITIL redefining how we run IT services

But the big takeaway form me was automation. It’s the main ingredient in transforming information technology.

And now as we return to our regularly scheduled security & risk programming I’d like to pose the following question: What is automation doing for information security? My take: Not much.

Sure, we see pockets of automaton in information security. I’ve seen:

  • GRC. Enterprise GRC platforms help automate risk and compliance management. They build on one of the key tenets of automation: visibility across silos of information and assets.
  • Security operations. Tools like firewall management and security information management (SIM) help automate monitoring and maintenance of basic security operations tasks.
  • Business continuity. Many organizations have automated disaster recovery processes. For example, mission critical systems automatically failing over from a primary to secondary data center.

I’m sure I could come up with more if I dug a bit deeper, but it seems to me that the majority of examples I do come up with either focus on monitoring (which isn’t a particularly powerful automation concept) or build on infrastructure and operations automation, as with BC/DR.

So why isn’t automation more prevalent in information security? I recently posed this question on twitter and @dbanes responded with “Probably 'cause it's nearly impossible to automate solutions to manually crafted attacks.” Good point, but I still think information security is a service-oriented function, much like infrastructure & operations. I would expect to see a lot more automation to tackle inefficiencies around security policy management, metrics and reporting, rights management, etc.

I’ll leave you with a pearl of wisdom from Glenn: “Be the automator, not the automated.” Although CISOs have done a good job of shedding many operational responsibilities, there are still a lot of lessons to be learned from other IT disciplines on how automation can produce a leaner, more efficient information security organization.

Am I missing something? Let me know your thoughts on automation and when and how it applies to information security practices.

[posted by Robert Whiteley]