Guest Column | December 21, 2020

Navigating The Infosecurity Compliance Minefield With Automation

By Ray Kruck, CEO, Tugboat Logic

Automate Your Training Regimen To Improve Performance

When it comes to cybersecurity, manual and disconnected processes often slow down business progress. While this is generally true across the board, it’s a particular challenge for later-stage companies that are trying to grow and scale while also protecting their assets from data breaches and staying compliant. More and more, automation offers a better way for companies to reduce the headaches associated with staying secure as their business expands.

Automation can help manage all aspects of an existing information security program as needs and requirements evolve. By understanding where automation can bring the most benefit and how to best use it, IT leaders can reduce compliance headaches even as their business' ecosystem expands.

Manual And Disconnected Processes Hinder Business

Security compliance is an essential component to consider when growing a company, but it’s also something that can be overlooked – often, with extreme consequences. Failing to maintain compliance (with whatever set of regulations apply to your specific industry, be it SOC 2, ISO 27001, or something else) can lead to fines or other penalties. It also can lead to vulnerabilities and data breaches, which is what the regulations are trying to help you avoid.

There’s often a disconnect in terms of what different areas of the organization are doing. In larger organizations, for instance, you might find that the lower levels of the IT organization are still using manual practices while higher levels have moved on to more efficient processes.

Remote work certainly hasn’t made security and compliance easier. Not only do you have different kinds of users, but now you have the added complexity of remote users. That’s quite different from standard operating procedures, where everybody is tied to a physical location or set of physical locations.

Also, there's a lot of historical technical debt built up inside of larger organizations, where cybersecurity and information security management have a lot of competing systems that are trying to monitor for different metrics. Some of them are focused on response and remediation. Others are focused on monitoring and automating that monitoring, and these tend to compete.

Where Automation Helps

The best use of automation is obvious: eliminating repetitive tasks. This includes things like configuration management, control access, patch management, and monitoring.

Configuration management: IT teams need to establish and maintain the consistency of a product's performance throughout its lifecycle. Configuration management streamlines the delivery of software and applications. It helps organizations keep track of which changes have been made and why, and it creates an audit trail that helps to quickly identify bad configuration changes so they can be rolled back if needed. This typically involves a high degree of automation.

Control access: Access controls are one of the most important security controls in any organization’s security strategy, particularly when it comes to your infrastructure. But because most organizations lack both complete visibility into and control of their cloud infrastructure, it’s tough for security and operations teams to know what actions are being performed by which users, leaving them wide open to accidental or intentional misuse of privileges.

Patch management: Patching is the process of deploying software updates. Often, these updates are resolving critical security vulnerabilities. Patching and management of patching are necessary to make sure all systems and devices are compliant – but this can be tedious when done manually.

Monitoring: There’s simply too much data for humans alone to analyze and, on top of that, controls change. It used to be that security controls were treated as a “set it and forget it” activity, but that’s no longer the case. There needs to be regular monitoring and sometimes, remediation. Automation can address these needs.

Getting Started With Automation

To start the automaton adoption process, first define a common, standardized language or set of principles for your organization that outline what your security program should be. Then, define the purpose. Using that standardized language, clearly define what it is you are trying to do with the automation and what risk you are trying to mitigate. Next, conduct an inventory of your IT assets – everything from the smallest tool to the largest business applications, including shadow IT.

Once you’ve completed those initial steps, it’s time to begin actual implementation. It’s best to start from the bottom up, at the lowest level of where your IT data is generated and sourced.

Start applying automation here so that you get the real benefits of economies of scale, as well as the ability to consistently and accurately implement IT controls as close to the source of data creation as possible.

Winning With Automation

Scaling a business while using manual processes? Not recommended. The proliferation of enterprise data lakes, endpoints, and applications necessitate that security requirements need to evolve – automation of low-level tasks is the only way to scale. Further complicating matters are data and application siloes and compliance technical debt. Automation of evidentiary tasks provides for greater coverage and accuracy in IT control implementations. That leads to greater security and compliance. Use the best practices noted above to begin or refine your automation journey.