Build an Automation-First Security Culture
When you think about how to automate processes within the IT industry, your mind probably goes first to tools. After all, the past decade has witnessed an explosion of tools from across the industry that promise to make it easy to automate virtually every aspect of IT operations — from low-code development solutions that automate coding, to release automation tools for applications, to automated monitoring and security platforms.
Yet on their own, tools only get you part of the way to automation. To embrace automation completely, you also need to brick it into your culture.
And while building an automation-first culture may seem simple in general, it can be particularly challenging within certain niches of the IT industry — especially security, whose special complexity and distributed nature make it particularly hard to ensure that everyone involved in security makes automation a priority.
Fortunately, that problem can be solved, but it requires investments that go beyond security automation tooling. Here’s why building an automation-first security culture is critical, and how to do it.
The Importance of Security Automation Culture
In general, the benefits of an organizational culture that prioritizes automation are obvious enough to anyone who has worked in the IT industry for any length of time. Automation saves time and money. It also tends to make workers happier because it lets them automate away tedious tasks so that they can focus on more interesting and meaningful endeavors.
When it comes to security, however, an automation-centric culture is especially important. More so than in most other domains of the IT world, automation plays a particularly vital role in enabling the core goals of security operations:
- Real-time response: In the world of security, real-time detection and remediation of threats is often the difference between a non-incident and a major breach. In other domains, real-time action is a nice-to-have, but often not vitally necessary feature.
- Large-scale threat management: With about 300,000 new instances of malware appearing every single day, automation is the only way that teams can have a hope of staying ahead of all of the potential threats they need to detect and manage.
- Doing more with fewer employees: The cybersecurity industry faces an acute shortage of qualified experts, which means security teams are under special pressure to do more with smaller staffs. Automation helps them stretch limited personnel resources.
To put this another way, you can’t run any kind of effective security operation today if you don’t lean very heavily on automation. In this respect, security stands apart from other IT domains, like software development and even application performance management. You can probably get away with writing code manually and responding to application outages manually. But good luck trying to stay on top of modern security threats without extensive use of automation.
Why an Automation-First Security Culture Is Difficult to Build
Despite the centrality of automation to effective security, making security automation a cultural priority often proves especially difficult.
One reason is that security is not a single entity within the organization. It’s an array of different units and processes — application architecture, risk assessment, security posture management, incident response, and so on. Some of these entities overlap with other parts of the IT organization, like development and IT operations. Others may align with standalone teams, like security analysts and security operations.
At the same time, security is subdivided into subdomains. You have endpoint security, network security, data security, and on and on.
What this means is that security ends up being a highly distributed — indeed, even siloed — entity by default. That makes it difficult to build a unified culture across all the teams and processes that play a role in security.
A second challenge is that, because security is usually seen as an elite domain that only highly skilled analysts can handle, there is often a special reluctance on the part of security personnel to embrace automation too extensively. They may worry that outsourcing their jobs to security automation tools will lead to the elimination of their positions, or at least decrease investment in security teams.
On top of all of this, there is the challenge that security problems are often especially complex in nature, and can’t be reliably (or responsibly) solved by automation tools alone. It’s one thing to automate, for example, application deployment, which is relatively predictable and low-risk. But organizations tend to be reluctant to entrust the management of unique, high-stakes security incidents to automation tools.
Steps Toward Building an Automation-Centric Security Culture
Overcoming these challenges to achieve a security culture that prioritizes automation starts with embracing the strategies that encourage automation culture in general. De-silo teams. Align automation tools with business goals. Encourage agility and experimentation within the organization.
But for building a culture of security automation in particular, there are extra steps to take. One is to identify and implement security automation tools that all teams can share. An example is low-code or no-code policy frameworks that various stakeholders — security analysts, developers, IT teams, and so on — can use to define security workflows that require collaboration across teams. Shared security tooling goes further toward achieving a shared culture of automation than do security automation tools that only security engineers would typically use, like a SIEM.
At the same time, it’s important to adopt automation tools that, even as they lay the groundwork for automated workflows, still allow the agility and flexibility required for teams to handle each security risk uniquely. This is the key to getting buy-in from security engineers who worry that automation tools will take away their jobs, and from CTOs who may be concerned that automation tools aren’t sufficient to handle complex security threats.
Finally, consider implementing automation tools that help stakeholders figure out how to react to a security incident, rather than tools that automate the reaction for them. Tools that provide guidance and context can help humans and machines live comfortably side-by-side, and minimize worries that automation is taking over.
Automation is valuable across the IT industry in general, but perhaps nowhere is it more critical than in the realm of security. And while embracing security automation as a cultural priority can be challenging due to the highly complex and highly distributed nature of security processes, organizations can square this circle by adopting flexible security automation tools that support, rather than compete with or threaten to replace, the various teams of human engineers who help manage security risks.