CISO IT – The Automation Imperative, E10

Download MP3

Jason Kikta (00:00)
Hello everyone and welcome back to Automox's CISO IT podcast. I'm your host, Jason Kikta, and it's really great to be back after an interesting time at Black Hat and DEF CON in Las Vegas this year. so back in the home studio again, and this month we're going to be talking about next level automation and what that means, and how you should think about automation. So let's kick it off.

All right. So, you know, we had this really big event in, in July, right? Where this, this CrowdStrike IT outage, right? It wasn't a cybersecurity incident. It was an IT incident caused by a cybersecurity tool. And that, you know, got a lot of attention obviously, because it had a lot of, you know, not just, you know, as I jokingly call them, not just nerd effects, but a lot of, you know,

real world normal people effects with, you know, airline flights getting canceled and delays for businesses and so on. And one of the really interesting things that I heard about it, and I would say interesting in a bad way, was that, you know, this is the danger with automation, you know, because they were pushing out those updates in an automated manner. And, you know, that's dangerous.

You know, you want to have controls to be sure, but really and truly when you get down and you read through CrowdStrike's root cause analysis, I would say I would take away the opposite lesson, right? That is not a case for less automation. It's a case for more automation because what really happened was that they had a, you know, a testing failure in their pipeline and missed that, you know, this particular

content update would cause a blue screen of death and it would cause it 100% of the time, right? So if they had, in addition to that, added another automated test to, you know, run it live on some Windows 10 or Windows 11 systems, this certainly would have been caught, right? And so the danger again is not that we shouldn't trust automation or that automation is inherently dangerous. Anything that we do at scale is going to be dangerous.

you know, and, have some risks associated, but, but in reality, if there had been some more automation to check on the, the tests to make sure that it actually ran successfully, or to add additional testing, that would have prevented the entire thing. now of course, you know, like I said, you want to have some controls, right? Controls are necessary for anything that, that you do, to, buy down that risk.

but, but, you know, removing automation, I would not consider a true risk control in and of itself, because if anything, you know, that, that adds more risk, right? Because you're not relying on automation, you're relying on people, right? You're relying on human memory, human accuracy, human precision. And those things are flawed, right? Like that's just, that's not who we are. That's not.

our ability to be highly precise, highly accurate, to have, you know, fantastic recollection. And, you know, yes, the downside of computers is that they, know, the downside and the upside, right, the old joke of, "Hey, they do exactly what you tell them to." But the downside is they do exactly what you tell them to, right, you have to get what you're telling them to do, correct. But once you have that, it's going to do that.

every single time, pretty much without fail. And so, you know, when you think about where you want to put controls around it, right, it's really about validating that you have the correct automation that you've thought through all the edge cases that you have safety breaks in there in case, you know, one of the conditions is in a state that you haven't seen before that you didn't anticipate, right, you just maybe you design the automation to fail. And

and return a failed state if everything doesn't line up exactly the way you want it to. But there are other use cases where having it go, even if it's imperfect, is desired. So in that case, your fail safe state is that the automation pushes forward. It's really on, right? That is where you best invest human judgment and experience and intuition to be able to

discern and distinguish between those and come up with the best route to achieve that state. you know, I think this goes to another sort of centralized idea or something that I see people get wrong quite often is that IT efficiency today really is not about the number of positions you cut or the jobs that you offshore. I see people

use that as an excuse. But that's not the right way to think about it. And while that might happen every once in a while, right, that should really be the rarity because I defy anyone to show me an IT team that has 100% of capacity. 100% of the capacity need and everybody well employed today, right? Like, that's just not real. The reality is, is that every IT team has a backlog, the backlog is growing, and they need to deal with it.

that's what's real. That's what we're really trying to address with a number of things, it really with efficiency. And so, you know, this is about ensuring that your team is doing the work that's most valuable to the business. So if you can automate it, well, then that's not something that you need a human being to do. And a human being can move on to other things. And I'll also say that, you know, if something is if you if you can move away from those automated tasks, if you can get those into a point where

they are well automated and tracked. That other work that does require your experience, your training, your judgment, that's going to be the most valuable work to you professionally, plus the most interesting to you personally, right? Like that's what you're going to find real value and reward with because something that is monotonous and repetitive, it's not fun for us to do. And it's not really valuable professionally.

because that is something that is probably a prime candidate for automation. You know, and I think there's no better example that that, you know, computer the term computer that used to be an actual job title, right? You used to have people in your business whose job was to be a computer who was whose job was to compute sums, and, and electronic computers, the computers, as we know it in the sense today, they replace those folks, right? And so

Yes, you know, they had to learn new jobs, many hopefully as programmers, right. And that is, you know, inevitable over time as well. But the reality is, is that what they did was boring and monotonous. So don't think about it in terms of, hey, this is going to replace me think about as an opportunity to get yourself out of that daily monotony and do the things that only you can do that will

really be attractive to you as you grow in your career, whether you move up the ladder or whether you move on to a new job, the things that are really hard to automate, that's where the value is at. IT isn't also about automation. It's all about the automation. Automation is fundamental to information technology. That's why we do it. The whole reason.

that we do all of this, that IT exists and cybersecurity exists to protect the IT, is because we're trying as a society to increase the amount of automation in the dull, monotonous, repetitive jobs that people have to do, because nobody likes those. And they're not really all that valuable. So I'll leave you with this.

you know, sort of challenge my challenge to everyone this week is look for one tedious thing in your job this week that you could automate, right? What's one thing that, you know, you don't like, or that, you know, it's, it's very regular, very regular pattern, and try to find a way to automate it, right? You might automate it using an existing tool like Automox, or maybe an Okta workflow.

Or you might automate it by writing a Python script or using some other tool. Like there's a lot of great ways to automate things out there. And I have always been a big fan of it. That's, you know, doing those sort of, not just real world, but something that is like personally applicable to me where I know the use case really, really well, because I'm solving a personal problem. That's been.

how I've learned best throughout my career is just trying to solve that problem. How do I solve it? How do I solve it robustly? How do I account for those differences? And that really taught me the things that I needed to then apply across my organization as a leader in IT and as a CISO. So I hope that'll be fulfilling for all of you. And

You know, in case you didn't notice, I'm wearing my new, CISO IT t-shirt, which I'm really excited about. I like that. I, we now have our own t-shirts. you know, we're up to nearly 40,000 listeners, on YouTube and that's a really big milestone. And actually by the time you hear this, we will probably have passed 40,000. So that's, that's tremendous.

I know we haven't been on the air that long, but it means a lot to me and everyone else here at Automox that you all enjoy this and get something out of it. So have a, have a great month and I will see you next time.

Creators and Guests

Jason Kikta
Host
Jason Kikta
Jason Kikta is a fortress of knowledge in cybersecurity, bringing over two decades of frontline experience to the CISO IT podcast. His tenure at US Cyber Command isn't just a credential — it's a cornerstone of his expertise, providing a unique lens through which he views security threats and applies the best ways to prevent or remediate them. At Automox, Jason bridges the gap between good IT and robust security, sharing cutting-edge trends, tips, and expert advice based on the credo good security comes from good IT. His episodes are essential listening for IT professionals aiming to fortify their defenses and stay ahead in the ever-evolving cybersecurity battlefield.
CISO IT – The Automation Imperative, E10
Broadcast by