E R T N
P
X
E INIO
OP
Some tools use one technique, while
other types of automation utilise a handful
of techniques. For example, robotic
process automation is best suited to
task-centric environments and predictive
analysis that uses predictive modelling,
regression analysis, forecasting and
pattern matching to answer the ‘what is
likely to occur?’ question. protection and security needs to be
adaptive, everywhere, all the time.
Some companies will use automation to
reduce costs, standardise or increase
productivity. Others will use it to improve
the quality and consistency of risk
controls, while reducing error caused
by humans. Organisations will also use
automation to increase speed or agility. “We must balance risk and trust
adaptively to navigate our place on
the automation continuum in order to
deliver value.”
CARTA is a key enabler
Regardless of how automation is being
used, security and risk leaders can no
longer depend on traditional security
approaches. Continuous adaptive
risk and trust assessment (CARTA)
is a strategic approach to security
that acknowledges there is no perfect
42
“We need to consciously take an
adaptive approach to automation that
minimises the risks to our organisation
while helping it reap the rewards,”
according to David Mahdi, Senior
Director Analyst, Gartner.
Deliver value with automation
Security and risk professionals must
deliver value using automation in three
areas: Identity, data and new product or
service development.
Identity is the foundation for all
other security controls
Decisions regarding identity should
always remain within the control of
security and risk teams. This becomes
even more important as businesses
increasingly move to cloud environments.
Automation does add risk. For example,
algorithms can include implicit and
explicit bias by a creator, or algorithms
on untrusted operating systems could be
unknowingly controlled by outside parties. As systems and companies become
more complex, relying solely on multiple
passwords for identity confirmation
becomes difficult and risky.
Any automation choice must be
conscious and adapted to the current
situation, as well as adaptable to the
future. But, if done correctly, automation
can also be hugely beneficial to the
security team and business. Consider using an intelligent risk engine
to automate certain parts of the process.
A CARTA approach to identity will be key
to ensuring that the risk engine isn’t too
relaxed or restrictive, but also works for
the user.
Issue 20
|
www.intelligentciso.com