Is Your CIO Your Next Big Security Risk?

A few weeks ago we released the findings of our latest survey, examining the State of Automation in Security.  It showed that many companies are struggling. Struggling to rollout new business applications, struggling to migrate to the cloud or enter the software defined data era, struggling with outages, struggling to comply with regulatory requirements, and of course struggling to fend off the ever more sophisticated cyber-attacks.

And the reason? Security policy processes…or more specifically manual management of security processes which are hindering the business, rather than enabling it. Therefore, it wasn’t too surprising that 83% of organizations in our survey said that the use of automation to manage security processes needs to significantly increase over the next 3 years.

However, one element that was surprising was the apparent disconnect between C-level execs and front-line network ops and security professionals. This disconnect was apparent through a number of key issues.

• The levels of automation in security. Only 7% of C-level execs claimed that their organization’s security processes were ‘highly automated’ (vs. 15% overall) with 45% reporting that they had little to no automation in place (vs. 33% overall).

• Inhibitors to automation. C-level execs rated a lack of suitable automation tools as their top inhibitor, differing significantly from the overall results which focused on accuracy and the challenges of making the necessary organizational changes. Not surprisingly, C-level execs’ second highest concern was disruption to the business.  This was only the sixth most important factor for overall respondents.

• The key drivers for security automation. The C-level execs showed a marked difference in priorities vs. the overall average. C-levels ranked ‘too much time spent on manual tasks’ as their top reason for using automation, and ‘cyber threats and the number of alerts’ second.  These factors were reversed for the respondents overall.

So what does it mean in practice?

Firstly it means that there is a lack of transparency within organizations regarding their current level of automation.  Either front-line security staff are overestimating the amount of automation currently in place or (and this is more likely), C-level execs are underestimating.  C-level staff, in other words, are not fully informed as to their business’s current information security profile.

Secondly it shows C-level execs’ concerns about the availability of suitable tools suggests that they simply aren’t aware of what automation can achieve – while front-line networking and security staff are too concerned about potential errors and distractions from their day-to-day work to put forward a case for automation. Once again, C-level execs seem to be uninformed.

Finally it highlights that C-level execs are most interested in automation from a business process and efficiency point of view, whereas front-line teams are driven by how it can enhance the overall security posture. I believe this shows that C-levels’ top priority is to focus on is on how resources can be better utilized across their organizations, though it also indicates that the C-levels, once again, may not fully understand the security capabilities of automation.

A recent global survey by The Economist Intelligence Unit (EIU), sponsored by VMware found a similar disconnect between C-level execs and senior technology leaders – a divide that the survey report stated could ‘imperil the security of the firm.’   It showed that the C-level, who are in charge of budget decisions, are not likely to allocate the budgets that security teams believe are necessary to protect the firm, or that match the expected escalation in threat levels, because they don’t give cybersecurity the same priority.

The good news is that C-Level executives are already convinced of the value of automation, but there’s clearly a disconnect between those doing the work and their senior management. So if the full benefits of automation are to be realized everyone needs to get on the same page about the value, benefits and capabilities as well as the limitations of automation.  Furthermore, automation should be driven from the top down in order to ensure a uniform, structured and realistic approach to its implementation across the organization and to alleviate concerns related to deployment resources, processes and expectations, as well as concerns related to staffing – be it changes in roles and responsibilities or possible cutbacks.