What Automation Means For Cybersecurity—And Your Business

In the movie Apollo 13, three astronauts returning to Earth are unaware of their perilous reentry. Back in Houston at Mission Control, chief flight director Gene Kranz (played by Ed Harris) comments on the unfortunate events, saying: "Is there anything they can do about it?"

No one dared to speak.

"Then they don't need to know." 

If Kranz was in IT security, he'd probably have a thing or two to say about actionable information and how there's sometimes too little and many times far too much.

In this article, I'll share how automation can help turn the right information into action, helping to defend against cyberattacks, mitigate risk, shore up compliance and improve productivity.

You Can't Unbreach Data

The biggest security risk businesses face is lasting damage, which happens when data is lost or stolen. Worldwide data creation is expected to surpass 180 zettabytes between 2020 and 2025, and today's global shortage of 3.4 million cybersecurity workers means there aren't enough highly skilled employees—making it critical that automation doesn't just move bottlenecks around by introducing new or complex staffing requirements.

Attackers know that you can rebuild your cloud infrastructure or replace a laptop but that you can't "unbreach" data, so they turn your digital assets into a liability and threaten to leak or encrypt them unless you pay. Motivated attackers continue to find new ways to penetrate defenses along a swollen attack surface that's bloated from the pandemic due to more hybrid work, cloud services and remote devices. Some malicious actors have even learned how to turn employees into insider threats—the most dangerous threats of all.

With such a vast and fluid attack surface, there will always be at least one compromised account, employee or system—even if businesses do their best to keep up with patching devices and applications.

Distributed Edge, Centralized Data

As the edges of the attack surface grow, data moves toward massive, centralized cloud data stores and databases.

This trend will likely continue because centralized cloud data stores can help ensure all users, devices and services are connected and available to widespread teams. Without persistent and regular connections, a distributed workforce would be isolated and far less productive.

By centralizing data, we also concentrate most of the risk. If these data stores are well-controlled, we greatly reduce the fallout from any single compromised user or device. We must do our best to keep the edges locked down and monitor any worrisome signals they emit, but it no longer makes sense to allocate scarce resources where the bulk of the risk isn't.

If you don't know which direction an attack will come from, but you do know where it will go and do damage, that's where it makes sense to deploy resources. Logically, many security teams have started to focus more on these centralized data stores, looking toward automation to get a better handle on how these data stores are configured, used and controlled.

Where Automation Can Help

Let's start with basic questions, like "Is important data stored where it should be stored?" and "Are applications configured correctly?"

Automation can help answer these questions, but the answers usually lead to new questions and unforeseen bottlenecks. When sensitive data is discovered, for example, it invites questions about whether it's locked down correctly, how it's used and how long it should remain—assuming it's supposed to be there in the first place. Misconfigurations must be handled safely so they don't impair productivity.

Workflows, projects and jobs change over time, so what is correctly configured today won't be correctly configured six months from now. In highly collaborative environments where users share data without help or oversight from IT, it's reasonable to suspect many mistakes. Users will overshare the wrong data with the wrong people and retain access indefinitely.

How can you choose the right security automation?

1. Guard what matters. It should go without saying that it's important to focus on where the risk is. This usually means the intersection of critical, sensitive and/or regulated data; a lot of collaboration; and weak controls.
2. Sample your settings. If you're looking to optimize configurations or lock down your data, consider sampling your environment to get a better idea about how many issues you'll uncover initially, how many issues are introduced over time and whether you can automate the entire outcome—not just finding issues but fixing them.
3. Sample the signals. If you're considering automation to detect and react to potential threats, make sure your staff is prepared to handle the signal volume and content and that you have the resources to optimize them. No one needs another noisemaker.
4. Prioritize upstream controls. Automation that blocks risky or malicious activity downstream, at the edges, is easier to manage and more effective when the flow is cleaner. When teams try to block before locking things down and refining their signals, they sometimes impair critical business flows.

Automation should ease your burden, not add to it. If you invest time and effort in security automation, it must deliver outcomes and shouldn't leave you with new work you're not staffed to handle. If you need niche-level expertise to implement automation or act on the information it provides, then the productivity gains need to justify additional staffing costs and the challenges of finding staff with specialized skill sets.

As data grows in volume and value, it's getting harder to protect. Human reinforcements aren't coming fast enough, so automation can keep those massive data stores from going nova.

This article first appeared on Forbes.