Why SecOps automation needs a mission statement first
- By Chris Calvert
- May 01, 2020
Automation is touted as the holy grail of security operations, promising to fundamentally alter how we manage, analyze and execute. Government agencies with limited budgets competing for cybersecurity professionals are looking to automation to keep pace with the escalating number and complexity of cyberattacks.
Even though agencies realize historical approaches to SecOps are no longer enough, there remain many hurdles to achieving effective automation. They can fall into the trap of thinking an automation strategy means deploying more platform technology or generating huge volumes of data. Instead, they must do a much better job of accurately defining automation to do it properly and gain ground from it. Otherwise, they’ll fall further behind and create more work.
Most organizations have barely started their SecOps automation efforts, but government is well positioned to succeed because agencies understand what it means to have a public mandate. Successful automation requires a “mission focused” mindset, not an engineering one.
Automation platforms create more work
SecOps automation is uncommon in any industry, but government has recognized it must reduce manual tasks to meet the needs of citizens while spending their tax dollars more wisely. Unfortunately, what little automation has found footing in the public sector is platform-based and devised by engineers for engineers.
That’s not true automation.
The current platform-based paradigm fails because it means agencies must hire engineers who are versed in proprietary technologies to deploy and manage yet another platform along with all the daily activities that come with it: documentation, writing rules, developing best practices and creating playbooks. Government agencies end up competing with the private sector for security talent and risk dependence on a propriety platform that may not exist several years from now. And as with all tech solutions, these platforms are rarely effectively utilized, which means the agency never benefits from the full capabilities.
All this platform automation adoption actually puts agencies further behind and grows the labor curve instead of reducing it. Further compounding the problem is that automation platforms generate reams of granular data that end up exacerbating the labor shortage because agencies then need people who know how to turn data into knowledge -- automation platforms don’t automatically do this.
True automation and full transformation of SecOps needs a vision that’s more than adding tools and data streams and recognizes the constraints and strengths of public-sector organizations.
SecOps automation means figuring out what decisions must be made by a person and which can made autonomously. Ideally, to end up with a single macro-decision rather than 30 micro-decisions requires a rigorous understanding of how current processes work and if and how they can be automated.
Product managers building and selling platforms don’t have that understanding, yet they’re the ones designing how these automations will work based on idealistic view of what goes on in a security operation center -- a view that often doesn’t reflect reality.
True SecOps automation requires a different mindset
Security encompasses risk reduction, third-party risk, security controls and polices, implementations and audits. All are touched by automation, including tools and techniques. Although government agencies have their own sets of challenges, what SecOps must achieve is no different in government than elsewhere.
To effectively automate SecOps, agencies must be clear on the role they play in security. It often boils down to “thumping the bad guys” and making sure bad things can't happen again, or ideally, at all. They catch the criminals get them out of the organization and make sure they can't come back. Sounds much a like a mission statement, doesn’t it?
Unlike an engineering mindset that fosters a platform approach, a SecOps mindset requires a mission statement as a foundation for automation and operations. Yes, tools and data are important to executing the mission, but they shouldn’t increase the labor curve. Rather, they’re part of an inclusive mission statement that helps close the gap between when something pops up on the radar and when the correct business decision is made. The mission has nothing to do with implementing an automation platform. It should be making sure that the threat timeline -- from when a potential security incident is detected, fully remediated and the entire agency is confirmed to no longer be vulnerable to that attack -- is as short as possible.
Government agencies are all about mission statements and mandates. They’re essential for making sure services are delivered effectively and on budget. They also help define how things get done. Agencies must define their SecOps mission statement so they can achieve true automation and more effective security operations, regardless of technology platforms and data streams so they can deliver on the mandate to “thump the bad guys.”
Chris Calvert, co-founder and VP of product strategy at Respond Software.