Home Interviews “Automation can help us by making sure our recovery environment replicates the...

“Automation can help us by making sure our recovery environment replicates the real environment”

Jeffrey Wheatman, Research Director, Gartner

Security leaders are grappling with a number of challenges today but with more automation coming into cybersecurity, they are seeing some solutions to ease those challenges. Certain areas of cybersecurity are leveraging automation, AI and ML, and can detect threats on a scale that’s not possible for humans to do manually. Jeffrey Wheatman, Research Director, Gartner tells Brian Pereira of CISO MAG where automation in security is heading and how it can help solve the skills shortage problem or manage resilience risk.

How does automation address some of the areas that security leaders are struggling with today? How is automation technology for security evolving?

Security leaders are struggling in a number of areas. One, there’s a human capital problem. We do not have enough people with the right skillsets. The technology is also getting more complicated. This is where automation can help.

Secondly, there is too much background noise. We have too many sensors and agents and devices that are collecting data and I doubt if humans have the capability to parse through all of that noise and extract value. Human beings, by nature, are not great at identifying patterns. So automation helps from that perspective as well.

Finally, automation speeds up the detection, response and recovery piece, an area that a lot of people struggle with. People have done a fairly good job with protection, prevention and stopping the bad actors. But when they get in, the ability to detect and respond, doing so manually, is way too slow.

I think automation is improving over time and getting more mature. The original aspect of automation was about signature based, and simple analysis and scripting. But as we see artificial intelligence and machine learning get better and stronger and more usable, automation is actually leveraging a lot of those things as well. There is standalone automation and then there’s automation in existing toolsets like SIEM, data loss prevention and endpoint protection.

Which areas of security are leveraging automation and AI the most?

Endpoint protection is leveraging AI, ML–data analytics too, for things like integrated risk management tools and platforms. We’ve also seen AI used for application security testing and for DevOps implementations.

Looking at data usage patterns I think we are going to see more of that in the cloud. One of the challenges of cloud is that once the data leaves our network, we lose the ability to control. AI and ML can help us in understanding how the data is used, helping us identify patterns and therefore identify things that don’t match which might be a trigger or an alert.

How do businesses manage resilience risk through automation?

One of the challenges that we used to see is that the backup environment, the failover environment sometimes didn’t match the real environment. So we would patch our production servers and wouldn’t necessarily move that configuration update into our recovery center. That’s the way that automation could probably help. I think AI and ML as part of automation can help us anticipate outages beforehand, and therefore we will be better poised to have resilience.

If the AI and automation tells us there’s a lot of bad traffic going on out there, we should be prepared before it hits us. We should be able to see a malware attack spinning up, and be able to catch it (before it impacts us).

Automation can help us by making sure our recovery environment replicates the real environment. It could look at the automated analysis through the environment and do constant situation awareness.

Are the CISOs doing enough to reskill their teams and what should be the correct approach?

Part of it is outside the scope of what CISOs can do. We need to start thinking about how do we create people who are solutions-focused rather than technically aligned. For instance, a network security engineer does not have a lot of visibility into applications or the data level or the cloud. We need people to think more about the bigger picture.

The traditional education has been aligned with a narrow view. So it is about pushing our people to be more solutions focussed. The way to do that is by moving people around (the organization) and by skills transfers. By having people work directly with the business and understanding how they use the technology and the systems.

One of the things we see people doing, but not as much as they should, is they can go to other areas in the business for resources. For instance, people who work in finance have good risk-based mindsets.

Making our job descriptions less technical and more solutions focused will essentially double the labor pool because we will be able to recruit people from all sides of the gender continuum.

Getting our people to think more like hackers and not just defenders, because the attackers have different mindsets. There are also tools like Cyber ranges and attack simulation and  we need to use these tools to train people.

How do you see the role of the CISO evolving?

CISOs need to shift mindsets. The CISO’s job is not (only) to protect the organization. The CISO’s job is to provide information for his/her stakeholders to enable them to make the right decisions about what risks to accept and which ones to… They have to work with the business to find the right balance between protecting the business and running the business. Unfortunately, a lot of security leaders think it is their job to protect the business and to protect people from… and I don’t think that’s right.

Security leaders need to be more effective communicators. We need to not try to make the business speak our language. We need to try to speak their language. I don’t think we have enough security and risk leaders who have got to that.

The CISOs are not doing an effective job in building the bridge or the connection between ‘here are the things we do, and here’s why you should hear about them’.

In a lot of cases those C-levels and board members see security as a cost center. They know cybersecurity is a problem, but they don’t always understand why; they don’t understand the impact. And unless CISOs can effectively demonstrate why security played a critical role to achieving business objectives, we are going to see shrinking budgets and that’s going to lead to a lot of problems.