Security operations expert, Leon Ward, VP of Product Management, ThreatQuotient, says it’s time to get real about the people side of cybersecurity automation.
In security, we are very used to talking about features and functions in the tools we use. When it comes to measuring the positive impact of what we spend on cyber, in terms of both people and equipment costs, we tend to be equally abstract—for years, ‘mean time to detection’ and ‘mean time to resolution’ have probably been the two most widely-used metrics for cybersecurity progress, and measuring the number of security incidents handled is still probably how the CISO tracks his team’s contribution to the organisation.
But no longer. Today we need to start thinking about measuring cyber’s impact in completely new ways—or to be more accurate, concepts new to us in IT security but already very familiar to our colleagues in HR; with terms that seem very far from threat intelligence, such as wellbeing, inclusion and creating psychologically safe spaces.
Why ‘EX’ is becoming more important in non-IT parts of the workplace, the shorthand for such approaches and employment policies comes under the umbrella term EX—employee experience, which has been defined by Gartner as the way in which employees internalise and interpret the interactions they have with their organisation, as well as the context that underlies those interactions.
What makes the extension of CISO thinking into this area even more remarkable is that it’s in the context of cybersecurity automation—defined as the provision of real-time detection, rapid response, and proactive defence tools, so making systems that can help protect us at scale and which optimise many of the routine tasks human security practitioners get asked to do.
Security automation is still a relatively new part of the wider cybersecurity armoury, which explains why it’s not as big a spending spending priority for Chief Security and Information Officers, as other cyber tools with 2023 market size of $9bn (though set to grow to $17bn by 2028). However, interest is rapidly rising, as we start to see how we need to be able to operate at cloud-level scale and machine learning speed to cope with the evolving sophistication of security threats.
And so far, it’s been hard to measure security automation ROI. I can measure ROI (return on investment) by automating workflows in a business process; tasks are completed faster and cheaper. But if automation just keeps everything going without interruption, is that enough of a KPI?
Is the real ROI for a tech product how good it makes the user feel?
Well, now we have a better KPI. For the last three years, here at ThreatQuotient we have been polling cyber teams about their experiences, and this year we talked to 750 senior cybersecurity professionals in the UK, US. and Australia from big organisations in verticals from central government to retail and financial services.
We found lots of interesting statistics, but for the first time we found respondents putting the HR and people side of cyber ahead of other aspects. This starts with the top three challenges facing cybersecurity teams being framed as insufficient budget, growing regulatory and compliance challenges—but also high team churn rates. Even more strikingly, employee satisfaction and retention has become the main metric for assessing cybersecurity automation ROI for more than 60% of the survey respondents—outweighing those older ‘mean time to resolution’ measures we have always utilised.
So, the point of investing in cybersecurity automation is becoming less the straightforward technical and security protection measures. Now, it’s to get automation in to help with making the analyst’s job easier and so more enjoyable. By getting the computer to shoulder the burden of low value/repetitive activities and release the skilled professional to take on more interesting and fulfilling work. In strict security terms, think about how nice it would be to not have to click the same eight buttons repeatedly to achieve your outcome, or for it to be easier to work through that bunch of domain names which have been incorrectly blocked that you receive every day.
But from what I’m seeing in the sector, it’s not just automation of this kind of work that the CISO is looking for help with here. Across multiple industries, companies are now actively looking to improve employee satisfaction, to consciously see how their wellbeing can be boosted, and reduce churn. Personally, I see a lot more change at senior level; it used to be you would see the same head of security in a job for five to ten years, but since COVID and us all re-examining what we want from work, people now seem to move or even leave the sector every two to three years instead.
Security leaders also want better L&D (Learning and Development) for their people. We asked what the top three most desirable aspects of a new cyber automation product was; training availability—so making sure people can actually get value out of the product and the technologies they’re deploying—came in at a strong second (23%), just behind if the tool can integrate with multiple data sources (24%). But I also hear a lot of employers talking highlighting support for hybrid working, diversity, flexibility around parenting in their recruitment campaigns—all classic EX concepts that suddenly make sense in this area of tech, too.
Time for our tech culture to get more welcoming and supportive
There’s a kind of fascinating contradiction here; by making automation mainstream, we’ve also realised that making routine work simpler has exposed a much bigger issue around what we are asking our analysts to do all day—and the security leader has taken notice.
Of course, there’s an EX message in our results here that’s not just for the security or enterprise IT leader. It’s also for makers of security products in general. Do cyber vendors need to incorporate the human benefits of their solution into their product design and messaging, and not focus strictly just on the bits and bytes?
I think the answer is clearly yes. And while some sceptics may dismiss all this as ‘fluffy,’ the reality is that we simply can’t afford to ignore the people side of our business anymore. When observers speak with genuine concern that the UK’s cyber security skills gap is ‘a ticking time bomb’ for the whole economy—and the government is openly saying the people in charge of cyber security in nearly 750,000 UK businesses lack the trained people to carry out the kinds of basic tasks laid out in the national Cyber Essentials scheme—then if paying attention to Employee Experience means we’ll get more people to enter the profession, and stay in it, then pay attention to it we must.