CISO ‘How to’ Without the Bull: Optimising Automation

In the latest of my “no bullshit” cyber blogs, I’ll explain how automation can turn security into a business enabler. My name is Nick Harris, and I’m the CISO in Residence at Assured

Automation workflows have leapt forward in recent times with the new entries to the market and the integration of GenAI. Players like Tines and cheaper alternatives like n8n and Zapier are revolutionary approaches to scaling the security effort efficiently. However, this blog isn’t about automation on its own; it’s about creating security products the business can use. That will not only save the security team time and effort, but make the rest of the business run faster.

Getting started

Ultimately, ChatGPT will only get you so far in these efforts. A developer will be faster, write higher quality code, know how to run automation via SDLCs, and have stronger coding practices.

With an automation platform and skilled dev(s) to hand, you can build the best phishing response playbook, vulnerability triaging, Slack-triggered containment, and other workflows. But these are largely only seen by the security team. They are also pure automations.

“Automation can help turn the security team from a cost centre to a valued business enabler.” Nick Harris

I am talking about building and shipping tooling to your business. Here are some examples of products you have the tech and skills to build, which can help turn the security team from a cost centre to a valued business enabler.

JML: Automating the Active Directory element of account creation and group membership has real security value. By tying this together with background checks, payroll, pensions, HR and training systems, access cards, and more, you can create a workflow which massively reduces corporate workload. HR in particular will be hugely grateful if you can reduce human error and make onboarding more pleasurable. The same flow can be tweaked to remove leavers as well as handle movers across the business. Put a form in front of this and provide this to HR, and you’ve got a great product for them.

Local admin: Sometimes a local admin account is required, and there are expensive solutions on the market that allow for just-in-time sessions that help to mitigate risk. But it’s equally easy to build this product, initiated via a trigger in Slack or Teams chat which pushes an MFA prompt and then elevates a user for a short period of time. You could also add in an approval easily enough.

Erasure requests: It might be that the personal details of customers exist in many systems and databases, so when a right-to-erasure DSAR is received it’s a significant effort to comply. A form on your website, used by the data subject, can validate the request and be passed to an authorised customer services rep to review. This would trigger an automation that deletes the data subject’s personal details, audits the whole process and notifies everyone involved. This can save considerable time.

Chat bots: A chat bot in front of an IT asset/user data and connected to the ticketing system can make for a significantly improved IT service desk experience. Equally, a chat bot pulling data from your company policies could replace the HR FAQs page with much better information.

Show the value

The possibilities are endless. As a security lead, you might feel you’re stepping outside your remit writing automated report generators for other departments. But the results are threefold. First, you are making significant improvements to the business to make people’s lives easier. Second, every flow drives better security – whether it’s access control, speed of response, or reducing staff workarounds for friction-based security practices.

“You are making significant improvements to the business to make people’s lives easier.” Nick Harris

And third, you’re making cost savings beyond the obvious efficiencies, because it means you don’t have to buy in third-party solutions for the above tasks. These can be costly, might not meet the full requirement, and definitely won’t be as flexible as something you’ve built yourself. Think how much you might be paying for a privileged account management (PAM) solution for local admin escalation, or an erasure request management platform, and consider what it would cost to build these as internal products on top of your low-code automation platform.

As you embark on this engagement and efficiency programme, be clear to the business of the cost savings you’ve made by removing or not buying a third-party product because of what you’ve built. And keep a record of how long a manual process took and how many times a new automation runs within the product you’ve provided. The hours saved across the business will soon add up.

With more autonomy, comes more risk. Check out our latest piece on “What Businesses Need to Know About CHATGPT Agent“