It’s no secret that automation, API, and integration are the buzzwords that are rocking the cybersecurity world. It’s hard to escape the hype, especially in the GRC arena where companies like Drata and Vanta have been utilizing cloud providers to make auditing preparation a breeze, eliminating up to 90% of the groundwork. Imagine all the things you could accomplish with an extra 36 hours in your week! But in the words of wise sayings, is it possible to overdo a good thing? Let’s explore that question together.
Where we see the current state:
One of the primary purposes for cybersecurity compliance is to help set a minimum bar for the target industry. The trouble? Cybersecurity is often a tangential function of the business and resources, both people and budgets, are shared without true support. What this has been leading to is personnel responsible for a security area part-time as a second, third, etc hat in combination with their primary role. Take it further down the rabbit hole and you get people who don’t have the time to stay current on the events, technologies and likely multiple compliances needed for them in the fastest growing field around (cybersecurity if that wasn’t clear here 🙂). Enter → Automation. I see the appeal of automating 90% of my compliance journey. It means MAYBE I have a shot at getting to everything else I have to do.
The (un)intentional consequences of cybersecurity compliance automation:
Any auditor worth their weight will tell you that their mission isn’t to fail you, it’s to take an unbiased look at what’s being done to help ensure those you serve stay protected. Unfortunately, the running theme has turned into a race to the finish line. Pass the audit, get the certificate, forget about it until the next time you have to do it over again. The faster, the better. What we have seen this start to result in is security leaders having less knowledge on what’s actually going on with their programs. Due to the automation, they no longer have to dive into the toolset and confirm configuration settings and users, or have the team (if they’re lucky enough to have a team of course) run through the last quarter of results. All of that information is just captured and shipped.
The second drawback is that according to the auditors who are actually getting this information, it in many cases actually takes them LONGER to complete their audit. They have to learn new tool after new tool, figure out how documentation is organized and be able to dedicate enough time to then figure out if what’s being presented meets the intent of the control requirements. To sum that up, automation may reduce your time to PREP for the audit, but it may actually increase your audit time as a result.
The third drawback? if you’re not a cloud centric organization, the integrations for automation don’t help you out much and may end up being more trouble than it’s worth when figuring out your ROI.
Balanced automation is the key:
I am all for simplifying a security program and leveraging automation for daily workflows, as long as a check and balance is part of the workflow. QA is essential in so many areas and this is no exception. I would love for user onboarding to be automated, assuming that we have a routine audit to validate its accuracy. I would love for vulnerability management to be heavily automated, again assuming that we have a QA check to make sure patches and exceptions are being handled properly. In many cases, routine audits can serve as that validation and QA check, but if we simply automate our way through that too we have put ourselves in heavily diminished returns on all of our protection efforts.
If you are looking for a way to easily evaluate if you have the right controls in place, don’t overlook us here at RealCISO.io to make that possible. You won’t be able to just click a button and have all your answers. It typically takes anywhere from 45 minutes to a few hours to run through an assessment. What you will have is questions you can understand and something actionable as the output.