Why automation needs to be a critical part of your defences

Security teams need to start embracing automation so they can overcome today’s complex security challenges.

Why automation needs to be a critical part of your defences

Security teams need to start embracing automation so they can overcome today’s complex security challenges.

Lee Stephens
Lee StephensHead of Security Advisory Services, UK

Five years ago, many of our customers were in fear of any system that could perform its own automated changes. They’d be happy with it suggesting actions or providing clear instructions on what to do. But a human always had to be ‘in the loop’ to make the final decision.

The idea of a ‘black box’ with the power to block certain applications, systems or even customers was just far too risky. How could they trust it to do the right thing?

Changing attitudes to automation

As computing environments become more software-based and more advanced methods of automation appear on the scene, attitudes towards automation are starting to change. 

It seems the more people experience automation, the more they’re able to trust it. 

Today, many security teams are increasingly comfortable being ‘on the loop’ as a key decision maker, as opposed to ‘in the loop’ where they're required to approve every action.

They'll trust a system to schedule a security update or policy change – at least during an initial phase – as long as they have a human ‘on the loop’ to: 

  • monitor how systems operate
  • investigate problems 
  • revert unwanted changes in a moment. 


And in time, after a period of optimising, tuning and tweaking, security teams are often confident enough to remove humans from the loop all together.

Gaining trust in automation

A good example of this is how widely accepted security automation for email phishing has become. 

These days, when somebody flags a suspicious email, it doesn’t go to a member of their security team. Instead, it triggers a workflow that analyses the email’s text for malicious URLs or attachments. 

If a link is definitely malicious, the security software will either block the URLs, or alert defences to protecting the user’s device – all while keeping the email recipient updated on the process.

Throughout most of these stages, humans are now largely ‘out of the loop’ on ‘definitely malicious’ links. Some organisations may still allow a human to be ‘in the loop’ if a link is classified as ‘might be malicious’ or ‘on the loop’ if a link is classified as ‘probably malicious’ . In those cases, the human may have the final decision on whether to block URLs for the entire organisation. 

But on the whole, security software is freeing up time for security teams to focus their efforts elsewhere.

There are plenty of other reasons to start taking advantage of automation, including: 

  • ever-growing volumes of cyber threats
  • widespread shortages of cyber security skills
  • attackers using their own automation to accelerate threats.


Before you start implementing automation into your own processes, however, it’s important to be clear on exactly what your organisation is hoping to achieve and define what success means for you. There’s no ‘on size fits all’ approach.

Defining your success

Based on my experience, organisations adopting automation are looking to do one of three things:

  • create time and energy savings for cyber security teams and analysts
  • improve the level of integration between security tools
  • improve the quality of threat detection.


For one organisation, it might make sense to automate repetitive daily tasks so analysts have time to focus on larger scale attacks. Another may rely heavily on analysts to make decisions but choose instead to use automation to detect likely threats and provide options that reduce their time to respond.

The key is to find where automation provides the most effective value for your organisation without watering down your capabilities.

Starting your automation journey

Automation isn’t something you can build and then forget about. It requires a continuous process of improvement that’s built in as part of your methodology. 

These systems usually rely on a complex set of interdependencies which can degrade over time as things inevitably change – whether that’s the tools and processes you use, the conditions of the threat landscape, or even the goals of your organisation.

It’s certainly a lot to consider, but we can help you to embrace your automation journey. 

Our advisory services offer strategic guidance and solutions to organisations across the globe. We’ll help to assess and test your defences and select the solutions that match your security needs. 

Ready to find out more about our security advisory services? Get in touch with one of our experts today.