By Brian Hajost
Can Bots really be better than humans?
In a “do more with less” business environment, robotic process automation (aka RPA, aka “automation”, aka “bots”) is gaining traction. With human performance optimization and digital transformations well established in the public and private sectors, some of today’s biggest advancements in time-, money- and effort-saving can be made with automation.
The good news is that a “mechanized’ operation has the power to deliver significant and rapid reductions in effort while increasing accuracy and efficiency. The bad news is that you cannot automate everything. So how do you know when it is time to call a human and when is it time to employ an automated solution into your cybersecurity efforts?
Turn to automation to save money, time effort and souls.
When it comes to the vulnerability of government systems, you do not want to risk a thing. Automation is at its best when addressing rules-based, repetitive, labor-intensive (and, often, soul crushing) processes. In the quadrant below, you see four key areas of vulnerability and how they are best addressed:
- Risk assessment is an internally determined evaluation of the risks your organization faces. It is a long-term process that requires critical thinking skills bots cannot provide.
- Patching is externally determined, hinging on outside risks. You know the risks are there, but you do not know what they are or when they will hit. It is not repetitive, rather requires a human mind to assess, test, and mitigate.
- STIG/CIS compliance is based on an established, regularly updated set of rules wrapped around repetitive processes. The rules come from inside the government. It is an excellent candidate for automation.
- Antivirus software addresses externally determined threats to the system, automating your network’s response to attempted attacks. It is one of the more established uses of automation in the vulnerabilities space, saving humans the effort (and impossibility) of assessing and mitigating threats to the system in real time.
In short, as with all modern technology, when software can perform better than humans, that’s a good time for automation. And with the number of threats government systems face each day—and the complexity of complying with regulations—it is impossible to competently address all the many types of threats manually. Automation is a necessary and extremely valuable way of getting big chunks of the job done.
See how automation can work in the real world.
Looking at the STIG/CIS quadrant, this is the area of vulnerability that employs the most humans—expensive, specialized labor working on repetitive, dense work. In fact, it often eats as much as 70% of a cybersecurity budget in the government sector. But because there are rules and structure around this work it makes a great candidate for automation.
SteelCloud’s ConfigOS automates the process of STIG compliance, boiling down days and weeks of manual work to an hour. In one example, ConfigOS reduced a 16-hour scanning and remediation effort to one hour per software implementation…and there were 2500 implementations. This resulted in a 94% decrease in time spent. Moreover, it avoids labor costs of approximately $3M per year. The STIG specialists that no longer need to manually bring systems into compliance can now be used to assess risks and patch issues—two areas that can frequently be understaffed in the vulnerability area.
So, when determining where and what to automate, consider the process itself. If it is a manually intensive, predictable process, automate it and reassign your people to another vulnerability area. Cybersecurity threats just get more and more sophisticated. Your response to them needs to be sophisticated, too. Bots really can be better than humans.
About the author:
Brian Hajost, President & CEO
Brian Hajost is the President & CEO of SteelCloud. Brian transformed SteelCloud into a recognized pioneer in delivering new technologies that allow government customers and commercial enterprises to effectively meet the compliance mandates of RMF, NIST 800-53, NIST 800-171, CMMC, and IRS Pub 1075. Brian is a 30-year veteran of the hardware/software industry with extensive experience focusing on government and federal integration, financial and the securities, and mobility markets. You can reach him at firstname.lastname@example.org.