When Amy, the CISO of a healthcare provider, looked at cloud security across the enterprise, she realized the default access control models were creating a variety of access issues. BeWell’s infrastructure as a service (IaaS) providers defaulted to a secure state, allowing only the owner access.
On the flip side, software as a service (SaaS) providers defaulted to totally open access. With multiple clouds in use, it would be impossible for Amy to manually relax permissions for IaaS and ensure adequate controls for SaaS. The solution? Automation.
The best way CISOs can bring value to their organization today is by leveraging automation.
We are no longer raising singular concerns about providing security and managing risks. The complex questions that is critical now is ‘how are you helping the enterprise realize more value while assessing and managing risk, security and even safety?’
The impact of automation
Automation is already impacting the world in two ways, first, as an enabler to the security and risk function and second, as new security frontiers that need to be acknowledged and understood.
As pieces of the business begin to adopt emerging technologies ranging from the cloud to blockchain to digital twins and immersive technologies, CISOs like Amy will find themselves overwhelmed with priorities.
Other business units are likely building solutions without consulting those of us in security. This means the C-suite is making technology-related choices every day, often without realizing the risk implications of what they are doing. The consequences of these business choices —choices over which we have no control and do not always see — can be huge, especially as the potential for digital business continues to grow.
As digital transformation alters security needs and necessary skill sets and competencies, it creates new talent gaps that are difficult (if not impossible) to fill.
Automation in the business
Many automation tools are ad hoc; others formally automate key parts of a process. Some tools use one technique, while other types of automation utilize a handful of techniques. For example, robotic process automation is best suited to task-centric environments and predictive analysis that uses predictive modeling, regression analysis, forecasting and pattern matching to answer the “what is likely to occur” question.
Some companies will use automation to reduce costs, standardize or increase productivity. Others will use it to improve the quality and consistency of risk controls, while reducing error caused by humans. Organizations will also use automation to increase speed or agility.
The CARTA approach
Regardless of how automation is being used, security and risk leaders can no longer depend on traditional security approaches.
We need to consciously take an adaptive approach to automation that minimizes the risks to our organization while helping it reap the rewards. We must balance risk and trust adaptively to navigate our place on the automation continuum in order to deliver value. For example, the Continuous adaptive risk and trust assessment (CARTA), a strategic approach to information security that was introduced by Gartner in 2017.
It is a strategic approach to security that acknowledges there is no perfect protection, and security needs to be adaptive, everywhere, all the time. Any automation choice must be conscious and adapted to the current situation, as well as adaptable to the future
Automation does add risk. For example, algorithms can include implicit and explicit bias by a creator, or algorithms on untrusted operating systems could be unknowingly controlled by outside parties.
Any automation choice must be conscious and adapted to the current situation, as well as adaptable to the future, But, if done correctly, automation can also be hugely beneficial to the security team and business.
Deliver value with automation
CISOs must deliver value using automation in three areas: Identity, data, and new product or service development.
Identity is the foundation for all other security controls
Decisions regarding identity should always remain within the control of security and risk teams. This becomes even more important as businesses increasingly move to cloud environments. As systems and companies become more complex, relying solely on multiple passwords for identity confirmation becomes difficult and risky.
Consider using an intelligent risk engine to automate certain parts of the process. A CARTA approach to identity will be key to ensuring that the risk engine isn’t too relaxed or restrictive, but also works for the user.
Data is where much of enterprise value resides
Businesses are data generation powerhouses. Failing to protect and watch data can be costly — and can, in fact, harm an organization’s value.
Review the access control models for any infrastructure as a service and SaaS applications and consider using a cloud access security broker (CASB) to identify and classify data and files. Use a CASB in combination with enterprise digital rights management to extend controls over the entire enterprise, regardless of where the data lives.
New products or services development is a focus for companies
Companies are developing new products and services to gain competitive edge and are leveraging emerging technologies, which are highlighting new business opportunities. With an increasing need to go to market faster, DevOps processes can run afoul of security protocols. Automation can help achieve the ultimate goal of DevSecOps, where security is built into the beginning of the process with no negative impacts.
Consider automation options such as interactive application security testing, a machine-based solution that enables you to observe the behaviour of an application from the inside. Your team can then piggyback security testing onto the quality assurance testing, and avoid using a single security test case.
Consider how automation can be integrated into systems and how it can reasonably be used within a CARTA approach
Within these mission-critical priorities, security and risk management leaders must prioritize what they want to handle, what other teams can reasonably do, and what doesn’t warrant time or attention. Security teams must also consider how automation can be integrated into systems and how it can reasonably be used within a CARTA approach to security.
To orchestrate and champion value protection and empower value creation, CISO should recognize and manage the tension, and find our place on the automation continuum.
(The author is VP Analyst at Gartner)