Should a CISO be Better at Automation than Security?

As the story goes, and more recently popularized in the movie The Founder, Ray Kroc was speaking to a class at Harvard when asked “What business is McDonalds in?” “Restaurants!” “Hospitality!” “Supply Chain!” “Franchising!” “Entertainment!” “No!” Ray laughed and replied to each student. “Ladies and gentlemen, I’m not in the hamburger business. My business is real estate.”

This analogy leaves us wondering about the business of cybersecurity. The mission is to reduce cyber-related risk to the business. This mission, and cybersecurity writ large, to many remains cloaked as a deeply complex technical function. However, when you pull back the curtain on what security teams do day to day, demystifying it to some extent, is it not just an operations function like many other parts of a business? Reducing cyber risk results from the admittedly trite, effective use of People, Process, and Technology. Further, like many operations functions (e.g., information technology, supply chain, customer service, etc.) success results from an endless pursuit of driving operational effectiveness and scaling capabilities often with automation center-stage. The case for automation is even stronger for cybersecurity teams that have to keep pace with an ever expanding digital footprint, protecting against advanced cyber criminals, on impossibly tight budgets. Given this sobering state, where then, should automation sit within an information security organization to ensure it is treated as a strategic imperative?

Read more here: Justin Whitaker on Medium.

About the Authors

Justin Whitaker is a Partner and Practice Lead for DayBlink Consulting’s Cybersecurity Group.