6 hidden risks of IT automation
One of the biggest hidden risks of IT automation is not securing the data used to train automated systems, says Kevin Miller, CTO, America, at enterprise software company IFS.
One of the biggest hidden risks of IT automation is not securing the data used to train automated systems, says Kevin Miller, CTO, America, at enterprise software company IFS. “Taking it a step further, automated systems may have vulnerabilities that bad actors can exploit — even anomaly detection itself can be hacked,” he says.
This leaves companies susceptible to the automated propagation of threats, Miller says. “For instance, if an attacker gains control over an automated process, they can spread malicious code, software, or activities across the system much more quickly than in a non-automated environment,” he says.
This could lead to faster and more extensive damage before detection and remediation efforts can be initiated, Miller says. Companies must have full visibility and constant monitoring of systems to determine whether an anomaly is caused by a bad actor who can steal sensitive data about an asset, the company, or its customers.
Magnified data management issues
Data management can be a crucial part of IT automation, but it might not occur to teams when deploying tools to automate processes. This can lead to problems.
“Using stale data — whether it’s by seconds, minutes, hours, or days — to automate IT technologies is a lot like using old, non-current traffic data to summon an Uber,” says Erik Gaston, CIO of security company Tanium.
“It won’t work, and it’s not a good idea,” Gaston says. “Without real-time data, organizations are limited in what they can scale. To add to the risk factor, when organizations try to automate beyond what they can scale, it can break critical processes.”
Moreover, Gaston says, lack of real-time data when scaling automation can add to cybersecurity vulnerabilities. “When automation technology is not using real-time data, it can fail to detect a critical threat or zero day, which could result in a data breach going unnoticed long enough for the bad actors to exploit vulnerabilities and gain unauthorized access to systems or data,” he says.
To address such issues, RaceTrac’s Williams says the convenience store operator has in place a federated data governance strategy that provides a structured methodology for data management. “The cornerstone of this approach is ensuring that all data underpinning IT automation is thoroughly vetted, compliant with relevant regulations, and meets the highest quality standards,” he says.
A federated data governance strategy achieves a delicate balance between centralized governance controls and the flexibility of decentralized access, Williams says. “This methodology allows for top-down governance oversight while empowering users with the autonomy to self-serve,” he says.
This strategy enables organizations to “harness the full potential of IT automation, ensuring that their efforts are built on a foundation of solid data governance and are resilient in the face of evolving technology landscapes,” Williams says.
Complacency
Another risk is that tasks, once automated, are likely to not be reviewed by IT later.
“Complacency is a very real risk when it comes to IT automation,” Tricentis’ Kichen says. “When something works without much need for human intervention, it has the potential to be easily overlooked. IT teams may forget or ignore the underlying process steps, and this way of thinking leads to potential problems and risks that can easily arise undetected and unaddressed.”
One example is human resources off-boarding. “The potential of the process breaking down is very high and problems going undetected are common, as everyone tends to assume everything is working as intended,” Kichen says.
If the automation works and it doesn’t create obvious errors, IT teams might forget about it. “This means it doesn’t get periodically reviewed to see if prior security or IT assumptions remain true,” Kichen says.
At the time of its creation, those decisions were probably reasonable, Kichen says. “But over time, the underlying assumptions that drove those decisions change,” he says. “If IT teams don’t have a corresponding process to periodically review the automation and its implementation, they can get exposed to serious risks that may have been nonexistent when it was initially created, but are now there and relevant.”
The failure to monitor automation systems can extend to a failure to keep tabs on the marketplace. “In the intervening months or years, new vendors may appear that actually build a product that more securely and efficiently does the thing the team originally automated,” Kichen says. “If teams are not on the lookout for these advancements because their process in place works, then it won’t be until something bad happens that they begin to rethink their approach and realize that the technology and vendor landscape has advanced.”
Governance isn’t a given
It might sound like a contradiction, but IT needs to monitor and manage the flexibility and autonomy enabled by automation. Otherwise things can spiral out of control.
“Automation is ultimately a spectrum, meaning it is up to each organization to determine its individual risk tolerance and act accordingly,” Tanium’s Gaston says. “And while this flexibility can be beneficial, it necessitates careful planning, regular and real-time monitoring, and ongoing training for IT personnel to ensure they have the skills necessary to manage and troubleshoot automated systems.”
It’s also important to know the dependencies of any workflow that is automated, to maintain reliability and resilience. “This is especially important when it comes to dated legacy systems that often don’t do well with change and become more brittle with automation,” Gaston says.
One solution to controlling the use of automation is to create a governance program. “As with any emerging technology, regulations and standards continue to emerge regarding automation, and many organizations have yet to determine how to embrace automation in a manner that best aligns with business objectives,” Gaston says.
“Even as we automate using best-in-class platforms, it is imperative to look at workflows and processes and ensure the right guardrails, dependencies, and actions are in place,” Gaston says. “This ensures you can build a modern organization that reduces risk and moves IT from administration to innovation.”
Overdependence on automation
Is there such a thing as too much reliance on IT automation? Possibly, if it means a decline in other areas.
“Relying heavily on automation can lead to skills atrophy among IT staff, where manual troubleshooting and intervention skills may decline,” IFS’ Miller says. “This becomes a significant risk when automated systems encounter unexpected issues that require manual resolution.”
An overdependence on automation can also result in a loss of institutional knowledge about the intricacies of system operations specific to the business, Miller says, making it harder to adapt or innovate outside the automated processes.
About Author
