Our CTO, Adam Gwinnett share his thoughts and views on the Future of Automation in Cyber Security.
There is a lot of discussion ongoing about the increase in use of automation in Cyber Security and the potential consequences for teams, tooling and the broader offensive security profession. Having been through similar journeys previously, it is worth exploring the parallels between these areas.
All industries have seen drives towards automation, from manufacturing centuries ago to current trends of Robotic Process Automation which are automating administrative tasks to aid with increasing demand.
There are direct parallels between current security trends and that which the software QA industry underwent 10 years ago – a move to automated checking and broad abandonment of manual testing. Effective organisations understood that a balance of both was required to achieve the highest quality in products and processes, as automation does not cope well with anomalies and original or creative activity.
Automation can also accelerate the generation of garbage in poorly constructed processes and create pressures on other functions further down the value chain (ref Theory of Constraints and Flow). The net effect of these changes in QA was that the number of roles in projects and organisations shrunk significantly. Those roles which were retained were typically those that could define frameworks and conduct high-value exploratory activities, attracting higher salaries and respective authority and influence accordingly.
The unforeseen consequence of this has been a stagnation of the industry with junior posts increasingly scarce and mechanical (implementing automation steps with established tools), whilst senior posts continue to be filled by long-established role-holders or come with high learning curves and failure rates for subsequent promotions.
Automation Characteristics and Fit
The benefits of automation are frequently spoken of in relation to promoting repeatability, consistency, predictability, and auditability which are all characteristics the security community tend to readily identify as desirable in their own specialisms. It also allows for the effective scaling of capacity to address all demand which can help mitigate causes of burnout and overwhelm in organisations, marked traits of the current security industry. The main driver behind this adoption is of course financial and most organisations find that the adoption of automation allows for the meeting of growing demand with the same or fewer personnel as tooling replaces skills. This also means that roles can be de-valued (offered at lower salaries) longer term further reducing the Total Cost of Ownership of a capability.
The fundamental weakness of automation is that it excels at undertaking the activities of Process Workers and is typically unsuccessful at the activities undertaken by Knowledge Workers. In an industry with seemingly endless short-term demand and a volume-based economy (self-service buffet over silver service), speed of delivery and turnover of clients frequently surpasses quality concerns, especially in areas such as testing, risk assessment and compliance. This is the demand that spawns an industry of templates and copy-and-paste report writing. These very same characteristics that are driving large-scale recruitment, a so-called skills shortage and relatively large salaries for moderately skilled roles, are also why the industry is such a target for automation.
At its heart this can be viewed as an image issue. Security is not seen to add significant business value; it represents a high overhead on the balance sheet and is typically more interested in its own goals and continuation than in the success of the wider organisation (there are of course notable exceptions to this). When the potential to achieve the same outcomes at reduced cost with the absence of “no” and the constant sense of superiority and arcana surrounding security, it is no wonder that automation is not proving a difficult sell.
The challenge for those automating their security functions out of existence, much as we saw with QA work more broadly, is that automated approaches are fairly simplistic in their application. They also create huge confirmation bias (confirming that things you know worked, still work and that you didn’t break those things when you changed something) and outside of rudimentary issues are very limited in their ability to actually test processes or any form of “unhappy path”.
Where automated approaches do look to test negative outcomes, this tends to be heavily scripted and based on well-known and widely published exploits and techniques. In other words, the kind of tactics that nobody you should actually need to be worried about will be employing. It addresses the “spray and pray” and volume-based actors that only need a low success rate to fund their ventures but fails to address any motivated and capable adversaries whilst creating the illusion of security.
As with QA, the organisations that retained personnel and have achieved the greatest results had mature and performant capabilities and individuals with strong leadership qualities and strategic insight that were able to clearly demonstrate the alignment of their activities to business goals. By evolving their own function’s input, contribution and methods, they increased the perceived value they created and continued to communicate value and achievement in their work. Metrics were carefully explored moving from the “absence of defects” to measures like “improvements made to products” and “speed of feedback to production”.
Lessons in Leadership
Successful leaders in these spaces were strongly value-driven as well as being effective leaders in their own right. Security could do well to emulate and expand on these lessons on its own outreach into wider functions and in putting values at the heart of engagement with the wider organisation. The advisory and protection aspects of the role of security are best met with high credibility, trust and honesty. The intrinsic sense of accountability inherent in the roles within security, and which security provides direct support to through a governance perspective, are most rapidly and fundamentally undermined through individuals not acting in line with core principles and values. Those that have acted with integrity, demonstrate their contribution and have sought to ethically further the goals of the company have typically been those that have passed the test of retention following major incidents and breaches and have gone on to achieve recognition both for themselves and for the organisations they serve in response to these events.
Security leaders acting with strong values will find themselves highly desirable for organisations with whom their values closely align in terms of corporate culture, focus and engagement. The counterpoint will also become prevalent – those leaders that do not demonstrate these core values will find themselves “available” for extended periods or move between roles rapidly. Those that are not seen to live by suitable core values will also send signals to broader industry about the attitude of the organisation they serve towards security. This broader reputational malaise will start to creep into areas like insurance coverage, audit rates and other disruptive business events.
By having strong security leadership with clearly demonstrated values, organisations will potentially be able to reduce their levels of administrative overhead from regulatory inspection and distinguish themselves from their peers. This will start to be a key enabler in getting those leaders that seek it to more senior levels of representation and influence.
In the drive towards automation, security functions that do not demonstrate core values will struggle to maintain their positions and will find themselves with short tenures. Embracing the nuance and insight of the Knowledge Worker model will not only insulate these functions from removal but will also help drive their behaviours and activities up the value chain. A focus on policy, processes and other people-centric elements of security practice will be the most resistant to automation. These areas require empathy, influence, challenge and authenticity to be effective. Demonstrating these values will establish the trust and integration necessary to accelerate impact and will help to build the relationships needed to influence lasting change within the organisation.
As with outsourcing, automation should seldom be applied to an organisation’s core functions but used to remove overheads from peripheral and supporting elements. It should also never be applied without deep and detailed inspection of the elements under consideration for automating as, once automated, the likelihood of inspecting and redesigning the processes and functions undertaken is proven to dramatically diminish. Inefficiencies in processes that individuals don’t have to action seldom get addressed.
The core values of a security leader can be used to identify what is central to their function, what is a core tenet of what they deliver and how they deliver it, how it feels to be supported by that function. This can provide an effective lens and challenge basis for what should be automated by an organisation and ensure that doing so reduces an organisation’s risk exposure. Whilst fully auditable, the lack of human oversight can lead automation mechanisms to being prone to exploitation, and this can often go undetected for longer periods so the automation routines themselves will process any valid request or action, regardless of its potential impact or desirability.