Security Automation: A CISO Survival Kit
Security automation – the automatic handling of security operations-related tasks without human intervention – has gained a lot of attention in recent years, and for good reason. Despite various upskilling and reskilling programs that were attempted to close the massive cybersecurity skills gap across the world, the results have been minimal. While some fear that security automation will eat away the jobs of security executives, a new report by the Ponemon Institute clearly demonstrates that despite the rise of various security automation tools in the market, cybersecurity needs humans.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute believes, “Automation is ‘not a quick, fix-all solution to all your security needs.” This also brings fresh perspectives in the changing role of security leaders or CISOs who are increasingly seeing security automation as a means to deliver tangible benefits and results.
Need for security automation
There are currently 2.93 million unfilled cybersecurity positions globally, as per a (ISC)2 study. One of the major contributors to the increasing skills gap is the speed at which the threat landscape is evolving thanks to increased adoption of digital technologies by the enterprise. With skills shortage at crisis point, the need to automate security becomes apparent, shows the study.
Unlike past years, however, when security professionals were extremely worried about automation decreasing headcount in the IT security function, the latest report sees CISOs anticipate automation will reduce IT security headcount, but not replace human expertise, despite an increase in the adoption of automation tools for cybersecurity. In fact, the study sees a renewed focus on the importance of the human role in security, especially in the roles and responsibilities of security leaders or CISOs.
Automation will not replace humans
According to the report, 74% agree that automation enables IT security staff to focus on more serious vulnerabilities and overall network security and 54% believe automation will never replace human intuition and hands-on experience. In fact, three-fourths of security leaders say that automation is not capable of certain tasks done by IT security staff.
“Automation is already improving the productivity of security personnel across industries. However, the human factor remains the most important player in information security,” says Corin Imai, Senior Security Advisor, DomainTools, the research partner with Ponemon Institute. He says, “Automation will never fully replace human intuition and expertise, and those that become experts in deploying and managing automation solutions will have a new valuable skill set for many years to come.”
Ponemon sees the adoption of automation becoming more ‘mainstream’ that improves the effectiveness and efficiency of IT security staff. But instead of elimination, there’s likely to be a consolidation of existing roles. This means better opportunities for CISOs and security professionals to scale up their current skills to create more value-added roles as the human side of security remains as important as ever.
So, what are the key takeaways for CISOs from the study?
- The CISO should take on the role of “coach”. The primary driver of this is a demand to help business lines shore up their cybersecurity defenses. Currently, 47% of organizations do not invest in training or on-boarding of security personnel, so there’s room for much improvement in this area. In some organizations, CISOs are already coaching executives about GDPR and data privacy. As a coach or mentor, CISOs need to offer guidance, motivate, inspire, listen to and persuade others within the organization to help the company meet its security objectives.
- CISOs must embrace organizational leadership. Forward-thinking CISOs are taking advantage of their increased visibility, and are helping in the progress toward company goals. At present only 41% of CEOs and/or board of directors are briefed on the use of automation, shows the study. The number is still less. But department heads in organizations are now seeking the CISO’s counsel regarding the company’s technology infrastructure. Some CISOs are working closely with the Chief Privacy Officer (CPO) and Chief Risk Officer (CRO) to discuss issues like compliance with the company’s acceptable use policy, cybersecurity best practices and talking points for department heads to use with their teams. Security automation can drive CISOs to step forward to speak the company’s language, be mindful of company priorities and not just look at security threat level but also risks to assets, the bottom line and reputation.
- CISOs should develop a strong security framework. Strong CISOs carefully prepare plans with both short-term and long-term planning horizons. In fact, establishing a process to determine strategy, set priorities and create operational plans is one of the most important steps a CISO must take to ensure the security program is effective and properly aligned with the company’s goals. They should realize that one size does not fit all when it comes to formulating a useful plan. For example, in some firms, CISOs develop their security strategies based on project-level risk assessments, while on others they combine top-down risk management with a bottom-up approach.
- CISO should learn, unlearn and relearn. With more companies adopting security automation, the CISOs should have a solid foundation of security knowledge to draw from because they will be involved in key decision making role in the areas of information security. They should possess strong analytical and problem-solving skills to understand and apply abstract concepts to practical problems and also have high competence to manage a team of experts.
Studies show, security leaders must be engaged in their own self-development. Training and development programs should proactively address emerging technologies, new compliance requirements and the ongoing need for security improvements. CISO should learn rigorously to acquire certifications, such as Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM), as they demonstrate an overall foundational core of knowledge in the field.
To conclude, forward-thinking CISOs in all industries are paving the way by taking on coaching, embracing organizational leadership, and adopting frameworks in information security management. Almost half of the security leaders are sharing threat intelligence to collaborate with industry peers, and that’s a good sign according to Ponemon Institute. As Stephen Hawking said, “Intelligence is the ability to adapt to change.” If anybody can adapt to change and thrive, it’s the smart CISOs in the age of security automation.