With data breaches now one of the biggest worries, the problem may not be having enough cyber defences, but having too many of them from different vendors and not coordinating the effort.
At least that’s the case for the largest companies today, say, the top 2,000, each of which has as many as 80 security vendors for tasks like stopping phishing e-mail or blocking websites, according to Sean Convery, vice president for security business at ServiceNow.
The result is an adhoc coordination effort that makes it hard to measure readiness and clearly report the risk to a board of directors, he argued.
The answer, according to ServiceNow, a company that has made its name automating processes for IT services and human resources in the past, is to help automate a lot of the tasks carried out now by humans in a cybersecurity team.
This frees them up to take on tasks that need human intervention, for example, enforcement action against a persistent employee who flouts security rules and opens up the business to cyber attacks.
It also helps to keep up alertness by only flashing important notifications that a cybersecurity team needs to handle, in terms of priority.
When there are fewer distractions from routine issues, such as a phishing site that is already blocked, human operators will be less likely to dismiss an alert as a false positive, said Convery.
By creating “playbooks” for each type of incident, say, when a laptop with sensitive information is lost or when malware affects a server, users of ServiceNow’s tools can automate parts of the job that are not particularly interesting or valuable for the analysts to perform, he added.
ServiceNow also has the advantage of managing IT assets for many companies, so it knows how important each computer or server is.
If a lab test machine is being attacked, the priority for a cybersecurity team to respond would not be as high as that for an ERP (enterprise resource planning) system that could affect the entire functioning of the business.
To get customers started, ServiceNow uses its knowledge of thousands of other customers that already have such preset settings to suggest ways to streamline processes.
It would offer to automate certain steps, say, in patching a server, that almost all customers say yes to. This would cut down manual work.
Typically, the system scans thousands of endpoints in a large organisation, then links the result to a risk-based algorithm, which helps prioritise specific alerts or vulnerabilities that are important to address.
From here, chain requests are automatically sent to the IT team, because the person who does patching is usually different from the person in the security team who discovers the vulnerability.
Some patches are urgent and need to be done in a few hours, while others of lower priority can take days. Either way, the time taken to patch the vulnerability can give a sense of how ready a company is to tackle emerging threats.
Currently, ServiceNow counts Sydney-based financial institution AMP as a customer for its security solutions in the region. Rolled out in six weeks, the system is said to have helped the company respond to security vulnerabilities 60 per cent faster.
One thing that has changed with many organisations that have automated cybersecurity processes is teams working more closely together.
Said Convery: “In the past, the security team would do the scan and just give the spreadsheet to IT. IT would say: “What do you want me to do about this?””
“The two teams have historically not gotten along as well, but increasingly, especially with the shift to cloud, security needs to more a part of what IT does rather than a separate discipline,” he noted
“Because we’re running on a platform that services both IT and security, they have a common landing page where they can each have their own “recipes” or own set of data, but can interconnect as needed,” he added.