I\u2019d like to take a small commercial break from your regularly scheduled security & risk programming to bring you the following observation . . .I was recently in a client session with one of our great infrastructure & operations (I&O) analysts, Glenn \u201cAutomation\u201d O\u2019Donnell. His research on IT automation is extremely interesting \u2014 both tactically (advice for improving IT operations) as well as philosophically (a call to arms for IT professionals to update their skill set \u2014 or risk obsolescence).Anyway, in this session Glenn made a great observation: IT is at a key inflection point in 2009 and it\u2019s never going back. He was distilling the result of three IT macro-level events colliding:\u00a0 Business Technology (BT) architecture redefining how we define IT services Cloud computing and virtualization redefining how we build IT services Automation and ITIL redefining how we run IT services But the big takeaway for me was automation. It\u2019s the main ingredient in transforming information technology.And now as we return to our regularly scheduled security & risk programming I\u2019d like to pose the following question: What is automation doing for information security? My take: Not much.Sure, we see pockets of automaton in information security. I\u2019ve seen: GRC. Enterprise GRC platforms\u00a0help automate risk and compliance management. They build on one of the key tenets of automation: visibility across silos of information and assets. Security operations. Tools like firewall management and security information management (SIM) help automate monitoring and maintenance of basic security operations tasks. Business continuity. Many organizations have automated disaster recovery processes. For example, mission critical systems automatically failing over from a primary to secondary data center. I\u2019m sure I could come up with more if I dug a bit deeper, but it seems to me that the majority of examples I do come up with either focus on monitoring (which isn\u2019t a particularly powerful automation concept) or build on infrastructure and operations automation, as with BC\/DR.So why isn\u2019t automation more prevalent in information security? I recently posed this question on twitter and @dbanes responded with \u201cProbably 'cause it's nearly impossible to automate solutions to manually crafted attacks.\u201d Good point, but I still think information security is a service-oriented function, much like infrastructure & operations. I would expect to see a lot more automation to tackle inefficiencies around security policy management, metrics and reporting, rights management, etc.I\u2019ll leave you with a pearl of wisdom from Glenn: \u201cBe the automator, not the automated.\u201d Although CISOs have done a good job of shedding many operational responsibilities, there are still a lot of lessons to be learned from other IT disciplines on how automation can produce a leaner, more efficient information security organization.Am I\u00a0missing something? Let me know your thoughts on automation and when and how it applies to information security practices.