Almost a decade has passed since compliance mandates propelled financial services firms into stepping up their game to protect critical information assets, thereby protecting the integrity of the business and earning the trust of their clients and shareholders. It seems like yesterday that chief security officers were establishing the importance of their roles and making their influence felt from the boardroom to the monitoring consoles of the operations center. Successful organizations were building bridges within the business and to partners instead of fortifying walls that would have suppressed the flow of information critical to business growth and the ability to compete in world markets.

The lessons learned about accepting or tolerating risk to enable the business strategy have been punctuated by blazing headlines publicizing mistakes and oversights. Today, security managers accept that best-practice frameworks and all the controls in the world can’t remove the risk introduced by errors in human judgment or performance. Instead, automation is selectively applied to mitigate the human factor.

The Human Factor

From risk assessment to policy enforcement to desktop tasks, the possibility of human error exists. It is impossible to completely avoid errors in judgment during the assessment process; it is foolhardy to assume that every employee will follow procedures and processes all the time, regardless of training, motivation or oversight. The management challenge is acknowledging the human factor, even embracing it, and then taking steps to compensate for inevitable errors. Automation in information security takes the expert judgment and skills of the highly capable security expert, and applies them automatically when certain conditions and factors occur. Automation provides for early warning, proactive avoidance and accelerated response to minimize the impact of the human factor on information security.

Optimizing the capability of security experts to identify threats and develop reliable response scenarios can minimize exposure to all kinds of attacks on information resources. More tools are available today that automatically capture and apply the collective, enterprise intelligence needed to compensate for the human factor. Risk management, as an example, is a well-defined process that unfortunately involves human intervention in all phases, from policy creation to control definitions to investigation and response. Automation enhances the effectiveness of risk management by:

• ‑Prioritizing security risks – Systematic identification of key systems and the threats posed to those systems is straightforward. However, not all systems are created equal. The judgment to prioritize systems may be intuitive, but the balancing of resources to achieve prevention is not. Automated scoring of security alerts relative to compliance and business risk controls cost and results in timely, effective response.

• ‑Quantifying risk – How likely is it for an exposure to occur and what would be the cost of such an exposure? Hybrid attacks involving many resources are difficult to anticipate. How costly would a successful attempt be and would the cost to proactively defend against this attack be worth the reduced risk?

• ‑Responding to violations and anomalies – Developing recommendations on how resources should be allocated for a response can minimize exposure and result in lower costs and higher satisfaction. The planning is manually intensive, but mounting an effective and consistent response, appropriate to an attack, can be automated. Failure to automate can result in unnecessary cost increases and a potentially weak response.

Effective risk management acknowledges the human factor, recognizes tools that capture the collective intellectual capital and automatically applies the intelligence to proactively seek out high risk threats and accelerate a cost-conscious response.

Pamela Casale is Chief Marketing Officer at Intellitactics (www.intellitactics.com). She can be reached at pcasale@intellitactics.com. For additional information, please contact Suzanne Porter-Kuchay, 703-406-2575 orvia email at spk@intellitactics.com.