• United States




How security teams can serve the business with automation

Dec 11, 20174 mins

Automation isn’t automatic: it takes diligent steps to improve your security environment.

robot gear automation
Credit: Thinkstock

There is data in every business process, behind every human action and in each machine-to-machine interaction. The large-scale digitization taking place across the enterprise is constantly transforming the way businesses are run. This digital transformation amplifies the inherent risks and potential vulnerabilities across the technological footprint. This means the very nature of security operations is changing.

For many CISOs and CIOs the new objective is to shift from perimeter-based defenses to an analytics-driven approach. This approach leverages data from traditional IT systems, internet connected devices and the cloud – providing visibility across the entire ecosystem. And, it means complete end-to-end knowledge of who, what, when, where and how incidents are happening is required.

A security operations team can only manage and respond to what it can see. Even mature enterprises and seasoned security professionals end up short on visibility. This causes a reactive operational posture, always rushed, hurried, uncertain of their level completeness. Most teams that I speak to are drowning in alerts. And investigations take too long. There is an asymmetry between the amount of data to be analyzed and the security and IT staff in place to monitor, detect and respond.

Consider this, a ransomware attack is projected to attack a business every 14 seconds by the end of 2019. Ask yourself, how many people does it take to deal with this volume? Too many! Here are three things every security leader should be focused on today to make automation a reality within their SOC.

1. Rationalize the need for automation

A recent survey by analyst firm Quocirca found that organizations face an average of 1,200 IT incidents per month, of which 5 will be critical. The challenge in adopting automation isn’t the need. So, what is it? CISOs and analysts alike have shared with me that they struggle to rationalize their automation requirements in terms of business or mission priorities.

The ones that are successful start small. Predictable tasks, especially the ones accompanied by a check list, are prime candidates to be automated: activities relating to compliance, internal policy, reporting, or preserving evidence can be automated without the usual concerns of causing harm or business disruptions.

It’s important to communicate to the leadership that the goal for automation is to enable the analyst to make faster decisions – it is NOT to replace the analyst. Automation can free security analysts from rote tasks to bridge unintegrated, ill-configured technologies. It can liberate analysts from being data gophers, busy with copy/pasting spreadsheets. And it allows them to focus on higher value decision making, enabling faster investigation and response.

2. Evaluate your readiness to automate

While adopting automation is expected to help alleviate some of the skills shortage and combat the challenge of retaining qualified talent, its contribution to the overall performance and health of the business can be much greater. Automation can help transform the security organization into a center of innovation, positively impacting the business by being anticipatory, providing greater integration within IT and creating insight into risk.

To evaluate where you are in the automation journey, CISOs should get process agreements in place before taking steps to introduce automation technologies. As automation of security processes is evaluated, the organization must consider:

  • Clearly articulate the business value BEFORE negotiating with other parts of the organization
  • Data access and data preparation
  • How to include and inform other areas of the organization, such as IT or operations teams
  • Which existing processes and activities need to be modified
  • How existing software and tools (especially those that are underutilized) can be integrated to enhance the overall security investment
  • How automation aligns with objectives of both the business and the Security Operations Center (SOC)

3. Evangelize the business impact

Organizations will continue to face a prolonged, asymmetric engagement against threat actors and adversaries that are intent on compromising the business or mission. A clear need exists. CISOs can quantify this value to the executive leadership or boards by starting small. Start by automating a set of processes or a particular need; track effectiveness over a short period of time; and report on how automation improved incident detection or reduced mean time to resolution. You can measure in terms of threats detected to threat-investigated ratio, or time spent from identification to incident closure or dollars saved.

Automation isn’t magic, nor will it solve all your problems. It takes a dedicated, organizational effort to establish and maintain. As organizations grow and expand their digital footprints, automation will be a key for security teams to serve the business and the mission.


Monzy Merza serves as the head of security research at Splunk. With over 15 years of cybersecurity leadership in government and commercial organizations, Monzy is responsible for helping advise and implement strategic security programs for Splunk’s cybersecurity customers, working hand-in-hand with executives across the Fortune 500 to develop modern security architectures.

Monzy is also responsible for leading the Splunk Cyber Research team, which arms Splunk customers with actionable threat intelligence to combat advanced threats.

A noted international speaker, Monzy frequently presents at government and industry events on topics such as nation state threat defense and machine learning. His current security research is focused on integrated approaches to human-driven and automated responses to targeted cyber attacks.

The opinions expressed in this blog are those of Monzy Merza and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.