Everything you ever wanted to know about security policy management, and much more.
A few weeks ago we released the findings of our latest survey, examining the State of Automation in Security. It showed that many companies are struggling. Struggling to rollout new business applications, struggling to migrate to the cloud or enter the software defined data era, struggling with outages, struggling to comply with regulatory requirements, and of course struggling to fend off the ever more sophisticated cyber-attacks.
And the reason? Security policy processes…or more specifically manual management of security processes which are hindering the business, rather than enabling it. Therefore, it wasn’t too surprising that 83% of organizations in our survey said that the use of automation to manage security processes needs to significantly increase over the next 3 years.
However, one element that was surprising was the apparent disconnect between C-level execs and front-line network ops and security professionals. This disconnect was apparent through a number of key issues.
So what does it mean in practice?
Firstly it means that there is a lack of transparency within organizations regarding their current level of automation. Either front-line security staff are overestimating the amount of automation currently in place or (and this is more likely), C-level execs are underestimating. C-level staff, in other words, are not fully informed as to their business’s current information security profile.
Secondly it shows C-level execs’ concerns about the availability of suitable tools suggests that they simply aren’t aware of what automation can achieve – while front-line networking and security staff are too concerned about potential errors and distractions from their day-to-day work to put forward a case for automation. Once again, C-level execs seem to be uninformed.
Finally it highlights that C-level execs are most interested in automation from a business process and efficiency point of view, whereas front-line teams are driven by how it can enhance the overall security posture. I believe this shows that C-levels’ top priority is to focus on is on how resources can be better utilized across their organizations, though it also indicates that the C-levels, once again, may not fully understand the security capabilities of automation.
A recent global survey by The Economist Intelligence Unit (EIU), sponsored by VMware found a similar disconnect between C-level execs and senior technology leaders – a divide that the survey report stated could ‘imperil the security of the firm.’ It showed that the C-level, who are in charge of budget decisions, are not likely to allocate the budgets that security teams believe are necessary to protect the firm, or that match the expected escalation in threat levels, because they don’t give cybersecurity the same priority.
The good news is that C-Level executives are already convinced of the value of automation, but there’s clearly a disconnect between those doing the work and their senior management. So if the full benefits of automation are to be realized everyone needs to get on the same page about the value, benefits and capabilities as well as the limitations of automation. Furthermore, automation should be driven from the top down in order to ensure a uniform, structured and realistic approach to its implementation across the organization and to alleviate concerns related to deployment resources, processes and expectations, as well as concerns related to staffing – be it changes in roles and responsibilities or possible cutbacks.
Receive notifications of new posts by email.