Faced with immediate crises, including most recently the Covid pandemic, government organisations should seek to embed automation into security architectures or risk potentially “catastrophic” implications from emerging cyber threats, say information security leaders featured on FST Government New South Wales‘ virtual conference panel.
Automation solutions can be – and indeed have been – deployed in manifold ways within public sector organisations, from robotic process automation (RPA) for front-end customer services (for example, through simple form filling or processing functions to more advanced chatbots) to real-time threat detection.
Increasingly, machine-based security automation is being used to expedite security teams’ threat response, improving both the speed and cost-efficiency of cyber operations.
However, panellists have experienced organisational resistance to automation deployments.
Often, this is due to concerns that automation could undermine the necessary level of enterprise security required to safeguard customer data, particularly when bots have access to protected credentials or confidential datasets.
Conversely, however, with security chiefs increasingly conscious of insider threats, RPA is also being seen as a critical security booster, not only improving response times to external threats but also reducing unnecessary employee access to sensitive data and bridging persistent talent shortfalls for cybersecurity professionals.
Overcoming the fear factor
Panellists agreed their agencies needed a more flexible approach when assessing the adoption of automation solutions, enabling immediate and seamless uptake of the technology.
However, they acknowledged some lingering wariness, and potential mistrust, of RPA within their respective organisations. This, they felt could be remedied, at least in part, by better education.
Ellen Sundra, vice president of global systems engineering at ForeScout Technologies, said that a number of her partner organisations remained concerned around the perceived business-disrupting impact of automation solutions – a recent healthcare sector client she cited was particularly wary of exposing confidential patient data.
Nevertheless, Sundra insists, the possibilities opened up by these rapid incident response technologies could prove “critical” in mitigating risks and managing threats, particularly in today’s fast-evolving threat landscape.
Organisations should seek to develop a “comfort level and confidence” around automation, she said, balanced with a consideration of risks around sensitive data assets.
“When we look at incident response, we can’t forget about the importance of that automation piece and feeling comfortable with the risks that we’re mitigating with automation.” – Ellen Sundra, ForeScout Technologies
Fred Thiele, chief information security officer for Transport for NSW, urged public sector organisations to “get their head around” automation and its potential value in security management – a technology that could enable agencies to avoid potentially “catastrophic” events before they occur.
RPA could presumably help to identify and nullify threats that could otherwise result in catastrophic network breaches, as well as improve resilience of data housing systems, which, Thiele warned, “attackers are exploiting quicker and quicker every day.”
Automation is among the key solutions Thiele considers when reviewing the Transport agency’s data protection protocols. He believes the technology should be built into longer-term agency planning, well beyond the post-pandemic recovery.
Peter Croll, chief information security officer at eHealth NSW, shares a similar view, insisting that automation be a key element of the “people, processes and technology” framework, particularly as security teams reckon with a substantial increase in threats.
For instance, he insists organisations – and the decision-makers within them – need “a good process in place” to integrate automation solutions in a manner that maximises organisational efficiency, as well as proper oversight to ensure their seamless integration.
“Automation is not just a technological solution… it’s something we have to do, and something we have to move towards.” – Peter Croll, eHealth NSW
Croll, however, remains cautious of an unfettered rollout, insisting there is only “so far you can trust” automation. Organisations, he feels, not only need “key people” to decide what can and cannot be automated but also to interpret and respond to automated processes.
Overall, panellists felt education was vital to support employees’ and department heads’ acceptance of automation, ensuring it can be effectively weaved into the fabric of organisational processes. Croll feels it is also crucial that staff are “specifically trained” to help discover new automation technologies that could benefit their agency.
Balancing innovation with risk
While risk mitigation remains a fundamental objective for all security teams, participants urged for a more flexible approach to classifying risk, in some cases widening their classification to allow for greater agility.
Panellists also emphasised the importance of balancing employees’ demand for new tools with the potential risks that such technologies could pose to the security perimeter. Education must play a key role in addressing this imbalance.
Sundra cites an instance where employees were calling for their organisation to deploy a new digital whiteboard – one capable of capturing, transferring, and even livestreaming data across their networks. Unfortunately, while devices like this may offer convenience for employees, they also introduce increased risk, Sundra concedes, allowing data transfers over unsecured networks and placing sensitive information at risk of loss.
Establishing a “common language” around risk assessment and decision-making would ensure employees better understand and manage risks within their organisation’s security framework, Sundra said. She further emphasised the importance of educating employees on the potential risks that new tools could introduce and their capacity to weaken an organisation’s security perimeter.
Because not every newfangled tool or digital technology can be approved for use, there is a perception that security teams are innovation “blockers” rather than simply performing their duty to mitigate and manage cyber risk, panellists acknowledged.
Croll admits that while his department cannot always rubber-stamp new platforms and services, he insists security teams should proffer “alternative solutions”. Further, he feels that as long as platforms are securely vetted and approved, with “safe guidelines and limitations” for use, there should not be major barriers to implementation.
To ensure security teams can deliver effective decision-making over the long-term, panellists agreed that organisations needed to take a step back and fully assess their recently deployed stop-gap technologies – particularly those implemented during the Covid lockdowns.
He concedes that interim solutions, those launched in the “heat of the moment”, have a way of becoming permanent solutions very quickly. These need to be “revisited” with a more long-term vision, he said, and better fit within an organisation’s security framework.
With the panic of the pandemic now easing, he insists “proper risk assessments” and due diligence should be completed to ensure security and data-housing systems are sound.
When managing risk into the future, however, panellists warned that accounting for and responding to all potential risks remains an unrealistic goal. However, they insisted that having a thorough understanding of vulnerability and risk will ensure organisations are less prone to threats.
“You’re not going to fix everything,” Croll said. Rather, he suggests “fixing the things that are going to cause the worst impact.”
Organisations should identify the most high-risk vulnerabilities within an organisation and elevate these to the highest priority. Moreover, adequate preparation and ready adoption of automation will be key to managing cybersecurity risks into the future.
