This post is by Mike Rothman, analyst and President of Securosis, an independent security research firm.
Most "models" of the technology market are nonsense, though there are a few models that I think make a huge amount of sense. Anything that looks like a grid and has vendors reduced to dots is the former. Gartner's hype cycle is the latter.
For those of you that aren't familiar with the hype cycle concept, new technologies tend to travel along a predictable evolution of hype, starting with some kind of technology trigger, climbing to the peak of inflated expectations, bottoming out at the trough of disillusionment, and then rebounding into the slope of enlightenment and finally leveling out on the plateau of productivity. It's genius. And true based on my 20+ years in the crazy business.
So why mention the hype cycle? It's certainly not to blow (more) smoke up the hind sections of Gartner analysts, who have folks lining up to do that. It's to use that metaphor on what will be the very hot term throughout the rest of 2015 and we expect to be a major theme in RSAC 2016: automation.
That's right, automation is primed to hit the big time. Finally. Now before you roll your eyes (and I know you are rolling your eyes right now), hear me out. There are some real reasons the age of security automation is upon us. And also some major impediments. The hype cycle gives and the hype cycle takes. It is kind of like life, no?
The technology trigger is rather obvious. Security is complicated and getting more complicated. Adversaries are better and defenders are largely not. And more significantly, there aren't enough defenders to keep pace. Not even close, so most senior security professionals are glorified recruiters nowadays. They use fancy terms like talent management to make themselves feel better about spending hours a day trolling LinkedIn to find candidates they can't hire. Mostly because these candidates don't exist and for those that do exist, they are going to the highest bidder. Odds are, that isn't you.
So we have to get more efficient and that creates a perfect environment for a technology like security automation that allows you to focus your scarce resources on tasks that require billions of synapses. You can use the robots to do the rote work, and you should. Moreover, the move to cloud computing is also setting the stage for increased automation since everything is done via scripting and APIs. It's a natural for automation.
But as always, the security marketing machine is kicking into gear and you are seeing a bunch of start-ups talking about automating this and automating that. And as always, the reality will be far less impressive than the PowerPoint decks or the magicians in the expo halls. Which is exactly what many grumpy security folk are counting on because they don't trust automation and figure if something is going to get done right, it needs to be done via CLI on the console.
That's when the bubble is burst and security automation will tumble off the peak and into the trough. Though we don't expect it to stay there long. Mostly because the industry has no choice. There aren't enough practitioners and the technology stacks most organizations are moving towards are built with automation for both security and operations in mind. The only thing really missing is trust. So if you can become one with Mr./Ms. Robot (we don't discriminate in Robot-land) and deploy trustable automation, it's a win and gets us climbing the slope of enlightenment towards the plateau.
Now practitioners can move more gracefully towards acceptance by doing a few things to accelerate their trust in security automation. The first is to learn scripting and start playing with APIs and the cloud. You don't have to be a hardcore programmer to understand how many of your functions can be scripted. And if it does require real programming, you'll know exactly what to tell the developers to build.
The other is to start thinking about your policies, not in terms of English words that your lawyers can understand, but rather a set of logic trees that can be deployed by the machines. One of the more desirable skills in security over the next five years will be the architect that can take requirements and turn those into security policies that can be deployed in the machine.
And just think, your new Robot overlords won't bitch about the lack of a pension plan, don't ask for time off, nor do they expect a card on National Assistant's Day.
Until they do, then we're all screwed.