Assess and Turbocharge Your Security Automation Strategy

On-Demand

Video Transcription

Paul Anderson:
Hello. Good morning, everyone, or good afternoon or evening depending on where in the world you’re dialing in From. My name’s Paul Anderson. My title is VP of solutioning at FireMon, focused on automation. Really what that means I do is liaison between customers, support services, and product as the automation market evolves, to make sure we’ve got our ear to the ground and we’re building features, integrations, and solutions that really benefit customers as they embark or move forward further on their automation journey.

Paul Anderson:
More importantly, joining me today is Chris Gardner from Forrester. I’ve had the pleasure of meeting Chris and having a few phone calls with Chris. And really, the way that he thinks about automation really speaks to what we see in the field in terms of the delta between customers that are successful versus customers that buy into a dream, but don’t really know how that project’s going to play out.

Paul Anderson:
Chris has a really good vantage point in terms of what sorts of adoption models succeed. What sorts of adoption model fails? What’s the conflict between traditional data center models and things like DevOps? And how does that impact automation projects? How does that impact what your targets are? How does that impact whether you build something, buy a solution, or looking at multiple toolsets together to build the process?

Paul Anderson:
Pleasure to introduce Chris Gardner, and he’s going to go for a little while, and then I’ll have some comments in terms of what FireMon does. More importantly, please send in Q&A at any time and we’ll answer some questions either through the presentation or at the end.

Chris Gardner:
Great. Great.

Paul Anderson:
Chris, all yours.

Chris Gardner:
Yeah, thank you, Paul. Thanks. So, thanks for inviting me along, and as Paul mentioned, I’m a principal analyst at Forrester, leading infrastructure and operations coverage. But I think what’s most relevant to the folks in this webinar is I used to do this stuff for a living. I’ve been an analyst for a number of years, but before that, I was basically creating automation in very large data centers. And large batches of infrastructure going across cloud, and hybrid, and edge, and everywhere.

Chris Gardner:
So, I’ve had the war scars, and what I’ve run into is that people tend to not think about automation holistically. They tend to look at it from a tactical standpoint and say, “Well, how can I get an efficiency gain here? How can I lower the cost of this? How can I possibly move a little faster?” And there’s a lot more to it.

Chris Gardner:
My part of this presentation, we’re going to talk about a couple of things. One is we’ve been looking at Forrester, at a different way to look at automation and understand it. We believe that a framework is needed in order to pull this off. And as a former engineer, I actually was looking out there and saying, “Has anybody actually done this before?” And I couldn’t find anything. So, I’m going to go into what we’ve done and why it’s important.

Chris Gardner:
Next, I’m going to be talking about this new trend I’m seeing, which is automation strike teams. These are groups in the organization that are basically tasked to do some architecture, but accelerate automation projects. They are not centers of excellence, and I’ll go into why that is in a moment.

Chris Gardner:
And lastly, we’re going to have a brief sample of the maturity assessment that we’ve created around automation. A lot of people want to know their grade on these things and how far along they are on their journey. You will see a link for the full maturity assessment, which is about almost 20 questions long. We’re going to do a short version on this presentation just so you get a feel for what we’re asking for and how you could potentially grade yourself.

Chris Gardner:
So, let’s start out by talking about the framework element, and I don’t think it would surprise anybody that we need to look at automation from a higher view and more strategic view than we have before. There’s a lot of fearmongering around job loss, and the reality is that there is going to be some. We’ve personally predicted that we’re going to see 3.9% cannibalization of the cubicle jobs. We’re going to see some job growth.

Chris Gardner:
There’s a technology called RPA, robotic process automation. It’s going to become gigantic, and it’s going to impact network automation, infrastructure automation just as much as it’s impacted front office work. And one thing that we wrote about this last year, which is kind of surprising is the paradox. What we call the automation paradox, which is you would assume as you automate everything, everything gets better. But it turns out that you reach a point where the time to resolve issues actually starts growing again. That’s due in part to the fact that you’ve automated all the simple stuff, and now you have the complex stuff that remains.

Chris Gardner:
So, all that said, we get a lot of questions and a lot of confusions where people are like, “You know what? I know I have automation tools in my portfolio. I’ve had them for decades now. Is it this product or this product? Do I actually know what I have? Is it possible I can get rid of some of this stuff? Is it a situation where I have to apply a different touch to say infrastructure automation versus chatbots?”

Chris Gardner:
What we did was we created this framework to address this, and specifically to address islands of automation. Again, going back to my enterprise days, it wasn’t like we weren’t automating. We were automating all over the dang place. The problem was that we were repeating processes. We would do things like do RPA in three different segments of the organization. Do chatbots in two, and what you’d often find is that those groups would even have different tools and different vendor relationships, which is just silly.

Chris Gardner:
We needed to be able to make a call as to how do you address these islands? How do you actually make a comparison and say, “This infrastructure management tool is the same as this element manager, is the same as possibly this hybrid cloud management tool. We created a framework that looks at all types of automation in a unique way. I want to be clear that it goes beyond infrastructure automation, which is the purpose of this call.

Chris Gardner:
We look at development automation. We look at sales and engagement automation. Decision automation, which is where you find a lot of AI and machine learning, and industrial automation where you look at physical robotics. We look at it across three centers of dimensions: people dimensions, process dimensions, and enterprise dimensions.

Chris Gardner:
I’m not going to read off this slide, but I think what’s important to note is a lot of people only look at the process profile. They only look at, “What do I need to get this automation? How well is it going to understand what I’m doing? And then how is it going to act? Is it going to try to be deterministic or it’s going to act in a way that I can fully program or is it going to figure things out on its own?”

Chris Gardner:
The reality is that that’s only one part of the entire automation profile. You need to also understand the enterprise effect. You need to know, “Okay, if I implement this automation, I’ve got to go into a federated operating model or I’m not going to be able to govern this thing because it’s largely a black box.” We even created a process called robotics quotient, which basically is… You have IQ, which is intelligence quotient, and EQ, which is emotional quotient. RQ is robotics quotient. It’s how well your organization is ready to leverage this automation, and every single type of automation requires a different RQ.

Chris Gardner:
And lastly, people effects. Is this going to be a piece of automation that you actually engage with, and is there a societal impact of it? If I enable hybrid cloud automation or network automation, fortunately or unfortunately, depending on who you are, there’s not as much of a people impact. It’s going to be a situation where things improve, but I’m not going to notice it on a day-to-day basis the same way I would notice a driverless car for example.

Chris Gardner:
But as we begin to accelerate automation projects, and they start to grow more and more powerful with AI and machine learning, you’re going to see these get more and more impactful. It’s going to be even more of an opportunity for jobs to be affected and society to be affected as well.

Chris Gardner:
Nine dimensions is a lot. So, the way that we look at it is we say, “How do we display this in a visual way with a digital signature?” We created what we call the graphic equalizer. So, if you ever remember those old school stereos or even new school ones, they used to have, and still do, most of them are digital at this point, a series for knobs from bass to treble. And you would adjust them based on how you wanted that music to sound, and often, certain genres, you wanted to have a certain profile involved with it.

Chris Gardner:
It turns out that every single type of automation has a profile to it. And I want to be clear that people sometimes look at this and they say, “Well, things at the top are better than things at the bottom, right?” That’s not how this works. It’s the same way that having more bass versus less bass is a result of personal preference in the music you’re listening to. Not that more bass is better.

Chris Gardner:
That said, we can look at tools in the space, the infrastructure automation space, and this is an example of configuration management. And we can say, “Look, it takes in largely structured data in a coded way and deterministic fashion.” You don’t have a lot of AI being applied to this space yet. Even though AIOps is a term and it’s gaining popularity, it’s not an area where we’re seeing a ton of traction.

Chris Gardner:
Likewise, you’re not going to see a huge impact on your enterprise, and quite frankly, a lot of this is behind the scenes. It doesn’t have as much of a human impact. So, you can be confident that when you implement automation tools in the infrastructure space that you’re not going to necessarily need to have the same requirements as if you implemented RPA or for implemented chatbots.

Chris Gardner:
If we map all the tools in a given space, we start to see some trends, and the trends that are interesting in here is that by and large, most of the tools don’t require a ton of RQ to manage. Tools in this space include network automation, hybrid cloud automation, server deployment, security automation we include in this space as well. But they can have varying degrees of data acquisition. They can have varying degrees of human-machine interaction.

Chris Gardner:
By and large, most don’t have a very high conversational intelligence, which means that they don’t necessarily try to interpret what the human is doing. You can think of conversational intelligence as calling up an automated phone line and yelling at the automated phone operator. If it has conversational intelligence, it’ll understand, “Oh, this person’s upset. I should treat this differently.” The average hybrid cloud automation tool is not going to do that, which is fine. I quite frankly don’t want it to at this stage.

Chris Gardner:
Now, all that said, once you get an idea of these dimensions and everything, you have to build out teams to execute, and most people have done this, but they haven’t done it in a really holistic way. First off, I’ll tell you what doesn’t work. What doesn’t work is to take automation, take your existing operating model, and just slap it on top. If you’re semi-old school like me, you remember back in elementary school and high school that they would have a transparency projector, and they would put transparencies down and draw on them.

Chris Gardner:
I’ve seen a lot of folks take their operating model, put the transparency of automation on top of it, and none of the lines match up. So, I suggest what people do is you have to weave it through. You have to take these teams and make them part of not only your operational process but your strategic process that affects your lines of business. Don’t maintain these islands, they readily create themselves, so that’s easy to do. And don’t assume it’s somebody else’s job. I often get people telling me, “Well, that’s infrastructure and operations’ job or that’s the business’s job or that’s the developer’s job.” It’s your job. Everybody is an automator at this point.

Chris Gardner:
You need to use the framework to align. Most people have not looked at these dimensions. They need to look beyond the process profile and actually look at the enterprise impact and the human impact. You need to design modular consumable services. Everything is API-driven at this point. There’s no reason why you need to create a snowflake type of automation for your workflow, and then have somebody else create a different snowflake of workflow automation for something very similar in a different area.

Chris Gardner:
You really do need to be in a situation where you can package it up, give somebody else an API, and they can just run with it. And you have to estimate the impact not only on process but your enterprise and the people itself. One of the things that I’ve learned is that you can pretty much separate any given operations group, and in fact, pretty much any group into three buckets when it comes to new technologies. In this specific case, automation, which is that the first third of any group tends to jump right on board. They want to automate their own workflows. They perhaps even like programming. They recognize that some of what they’re doing is rote and they’re cool with it.

Chris Gardner:
The second third tends to watch the first third and sees how they get through things at first. They don’t want to have their feet in the water first. They want to get somebody else, somebody else to get wet, make sure there’s no sharks, and then they’ll jump in. The last third, unfortunately, doesn’t want to do anything with this at all. They don’t want to be part of the conversation. They actually like manual work in some situations.

Chris Gardner:
People tend to think of that last third as perhaps a group that’s close to retirement, and in some situations, it is, but not always. I’ve seen some folks that particularly in infrastructure and operations that start out as racking, stacking, and watching the blinking lights, and they don’t want to change their jobs.

Chris Gardner:
But that said, you need to completely reevaluate not only that last third but all three by rating your maturity and comparing with your peers, which I’m going to walk you through in a second. And you need to broaden your strategic perspective. A lot of folks I’ve seen have an innovation center now in their organization, but the innovation center is kept separate from automation efforts, which doesn’t make a lot of sense.

Chris Gardner:
I’ve seen a lot of organizations apply the same priority levels to every automation project. Or they say, “We’re going to use AI-driven chatbots, and we’re also going to use hybrid cloud automation to do cost optimization.” Those things are not the same, and in some situations, it’s actually easier to address the low-hanging fruit right now, and perhaps even cheaper, and then plan out for the next couple of years.

Chris Gardner:
“Okay, we’re going to do some unusual things with AIOps.” Or, “We’re going to do RPA in areas that we’ve never done before. Perhaps we’re going to use physical robotics in locations we’ve never done.” But those can be longer-term strategic projects. You can prioritize the quick wins now, and just to be clear, I’ve seen some folks that try to take what I call the bomb in the server room approach, which is they go into their given data center and they say, “We’re going to blow this whole thing up. We’re going to change how we do everything. We’re going to automate it all. We’re going to do multiple data centers. We’re going to connect all the dots.”

Chris Gardner:
The reality is that that never works. You basically need to start with the smaller projects, start with greenfield. Start with automating simpler aspects of the network or perhaps server provisioning or container provisioning at this stage, and then look out at your legacy environment and say, “Okay, what else can I do?” Versus trying to change it all one shot because again, I’ve never seen that work successfully.

Chris Gardner:
You need to create or make official these strike teams. What is a strike team? What am I talking about here? A lot of people when I’ve gone to major enterprise and I said, “Who’s responsible for your automation projects?” And traditionally, it was IT. But what was happening is that some of those folks in IT were moving on and saying, “It’s great that we have people that are managing the services and the security and infrastructure and all that stuff, but I want to be involved with strategy and planning around automation. I want to do project support. I want to do the architecture.”

Chris Gardner:
I asked these folks, and we did interviews with a good chunk of the Fortune 100. I said, “Isn’t this a center of excellence? Isn’t this an automation center of excellence?” And they said, “No.” For two reasons. One is the term center of excellence has unfortunately lost a lot of its brand value. A lot of people have been burned by the idea and think of them as ivory towers.

Chris Gardner:
But probably more importantly, it’s not just one center. A center you would presume would be one group in the organization, and it turns out it’s multiple. You could have a strike team for network automation. You could have a strike team for chatbots. You could have a strike team for RPA. And because try separate disciplines, that actually makes a lot of sense. I want to be clear though. It’s not like they own the processes. The process by domain experts. So, you still have situations where they’re responsible for change management. They’re responsible for automation design, test maintenance, and compliance.

Chris Gardner:
What the team is there for is to evangelize, to manage guardrails, provide design authority, and jumpstart. And the way they do that is there’s new roles that have come into play that address this. Every strike team has a lead. They lead the strategy, but they also handle enterprise communications, and they coordinate across the other groups. We have this discipline called robot architects, and you can think of them as enterprise architects for automation. They are the top SMEs. They’re the ones who provide the tools and the standards and lead the orchestration.

Chris Gardner:
We have design authorities. Those are the ones that go out and guide the domain experts. Guide the ones who are going to be using the automation as to what to automate and track the progress of it. You can almost think of them as more advanced project managers, more technical project managers. You have jump-starters, which are boots on the ground. Essentially, they assist with figuring out how to actually codify the automation, do the user journeys, do the impact assessment and testing, and do the configuration.

Chris Gardner:
And lastly, in some types of automation, you have botmasters. So, there is particular types of automation like RPA where you don’t necessarily want or need traditional IT to do the operations. You actually need someone who’s going to watch these bots that are performing, say insurance claims, and know how to troubleshoot them specifically with business knowledge. In some situations, you would have that be separate from the process experts themselves or process owners themselves.

Chris Gardner:
These are being stood up in a lot of different organizations and increasingly gaining more power. They’re the ones that are actually making the call as to, “We’re going to buy this automation,” or, “We’re going to get rid of this,” or, “we’re going to combine these various groups together under this one.” I strongly encourage people to not just look at your given organization and build these teams out, but see where perhaps they’re already being built out.

Chris Gardner:
A lot of places have started to do this in a organic way, and they just need to be made a little more official. They need to be given the power that they need to be able to make purchase decisions and address architecture concerns and do some of the integration work that perhaps the traditional IT organization was doing before.

Chris Gardner:
And last in my section, I’m going to do a quick assessment. And again, this is a way of looking at your own particular organization and how far along you are in your automation journey. There is a link for you to go to for a larger assessment, but this will give you a taste of it. We basically judge you on six different pieces: your strategy, how effective it is, the process of how you’re doing automation, prioritization efforts, the people that you have, the structure that you have around those people and the tools, and lastly, the overall organization and how you’re addressing it.

Chris Gardner:
The way that this is going to be done, and this is automatic in the website, but on this webinar, I’m just going to ask you to keep score on the back of a napkin. I’m going to give you six statements. Write down if you completely agree to completely disagree. Give yourself a five if you agree, and a one if you don’t agree at all, and somewhere in between if you don’t agree or disagree or you neither agree or disagree.

Chris Gardner:
So, let’s get started. Statement one: you’ve not integrated your islands of automation. The keyword here is integrated. You’ve actually taken a look at your islands and said, “Okay, we can’t do this anymore. We have to combine these various groups. We need not only to integrate them from a technical level, we have to integrate them from a people and process level.” If you’ve successfully done this for every type of automation in your organization, you’d give yourself a five here. If you haven’t done it for any, you’d give yourself a one. When we get to the end, I’m going to give you a little bit of a sneak preview of what people usually end up with on each of these.

Chris Gardner:
Statement two: you understand the nine dimensions I offered earlier and how they impact your strategy. This is one that you have to be honest. A lot of folks, again, have only looked at the process dimensions. They haven’t ever looked at the enterprise and people effect. If you’ve actually thought of these things and mapped out every automation in your organization with those nine dimensions, you’d give yourself a five here. If you’ve never even thought of these dimensions, you’d give yourself a one, and if you thought about some of them, you’d give yourself a two, three, or a four.

Chris Gardner:
Statement three of six: you prioritize automation projects based on disruptiveness and competitive advantage. So, this goes back to what I was saying earlier. Not every automation project has the same impact and deserves the same attention. You need to look at what’s going to disrupt your business workflow and at the same time, what’s going to give you an advantage over your competitors?

Chris Gardner:
It could be simple stuff. It could be simply automating a firewall change, but is that going to be disruptive, and does it give you a competitive advantage? Have you actually thought of those things? If you have, you give yourself a five. If you haven’t thought of it at all, you give yourself a one. And if you feel like you haven’t really done as well as you could, again, a score somewhere between.

Chris Gardner:
Statement four of six: you’re actively shifting operating roles to development. We have a report, actually, I wrote a report last year that the title is Evolve or Retire. Operators are now developers, and we’ve been saying this for a number of years. We’ve had folks that have come into this world of DevOps and tried to rebrand themselves, but the reality is that a lot of folks are still racking and stacking, watching blinking lights. If you have done this for your entire organization, give yourself a five. If you’ve not even thought about it, you can give yourself a one. And if you’re somewhere in between, again, two, three, or four.

Chris Gardner:
Statement five of six: you have a dedicated automation strike teams. I should say you have dedicated automation strike teams. I was the one who created the slide so you can shoot me on the grammar on that one. Basically, have you started to build out these teams that have the authority to execute these projects?

Chris Gardner:
And again, they’re not necessarily a part of IT. In fact, in a lot of organizations, they’re not. Are they looking at it from a strategic level? Do they have sway over purchasing decisions? Again, if you have done this holistically throughout your entire organization, you give yourself a five. If you’ve not even thought about it, it’s a one, and two, three, or four in between.

Chris Gardner:
Last statement: you rely on hero individuals to create and manage automation. This one is a bit of a double negative. What I’d like you to do is give yourself a five if you don’t have hero individuals, and a one if you still do. And what I mean by hero individual is that person that logs in at three o’clock in the morning to fix either an automated process or even a manual process.

Chris Gardner:
I’m sure myself as many in the audience have been in this situation of being in IT and being responsible for those last-minute changes. And granted the day after you do get called Superman or Superwoman, but Superman’s dead. I’d much rather Superman automate the process so that he can get a little sleep at night. So, give yourself a five if you’ve successfully taken hero worship out of your organization and treated people as heroes if they automate their own processes. Give yourself a one if you haven’t done that at all and you still have tons of heroes. And again, two, three, or four in between.

Chris Gardner:
So, how’d you do? Less than 18, if you add up all the scores. If you had ones and two on most of these, you’re going to be beginner level, and I’m going to get to in a second what these levels mean and what you’ve got to do. 18 to 24 would be intermediate, and greater than 24, we consider to be advanced. Quite frankly, if you’re advanced, you can come join me at Forrester because we probably need your help to teach our clients some things.

Chris Gardner:
So, beginner, don’t feel bad. A lot of people end up in this slot. The goal at this point is to start small and focus on strategic wins. Use the framework I just described. You will be able to grab this presentation off of FireMon’s website. You’re also able to go to our website and actually download the framework itself, which is pretty rare for Forrester because we do like charging people for things. But get the framework. Understand what parts you haven’t looked at yet. Start to look at your strategy and understand the basics and improve one pillar of competency at a time.

Chris Gardner:
Maybe you do understand the process effects really well, but you don’t really understand the enterprise effects. Start with that. Address that. Don’t worry about, again, blowing up the server room and automating everything. Take these strategic elements I’m discussing here and start learning about them. Start executing them.

Chris Gardner:
If you’re in a intermediate group, which is a decent chunk of folks as well, you’ve started on the journey, but you need to start rationalizing and prioritizing. You probably have gone through an exercise of at least looking at your process workflow, looking at your automation, and mapping it out. But you need to now designate champions. Fully understand the nine dimensions I described and start to pick and choose. Not every automation project deserves the same attention, and not every automation project is going to necessarily yield the same results from a disruptive and competitive level.

Chris Gardner:
You need to make a call and say, “Okay, I know this is going to truly change how my lines of business access these applications and systems, but it has to be done.” Versus, “Here is this fancy new AI-powered robot. It’s nice and it’s innovative and all those things, but maybe we work on this for a little while. Maybe we think about how to best address it before we jump in. In the meantime, let’s automate our firewall automation for example.”

Chris Gardner:
And lastly, the advanced level, and quite frankly, not a lot of people make it to this point. In a room of 50 people, which is this, I sometimes get maybe five or six that say they’re advanced. You have a strong understanding of this stuff, which is great, but you need to optimize your operating model. You need to make these teams, the strike teams I was describing earlier, truly powerful, and not only train your folks but start to do knowledge sharing. Start to make sure that various groups are comparing notes and comparing modules and reusing things.

Chris Gardner:
I want to be clear, that doesn’t necessarily mean these champions are leading a center of excellence. They’re not supposed to stand there and throw down architectural standards down from above. They’re supposed to be strike teams. They’re supposed to jump in, execute, make sure the standards are in place, move on, and just continue to have that conversation of, “Let’s keep things efficient and fresh and moving.” As opposed to, “Let’s work towards an arbitrary standard we built a year or two ago.”

Chris Gardner:
Most folks, again, are not at this stage, but that doesn’t mean you can’t aspire to be this stage. My viewpoint on this is you don’t necessarily have to get to advanced, you have to get better than what you were. If you’re a beginner, you’ve got to get to intermediate. Intermediate, you should try to get to advanced in whatever way you can.

Chris Gardner:
With that, I thank you. This was, again, a look at how Forrester looks at automation strategy, and I’m going to hand it off to FireMon now as they go through their product lineup and how they look at automation and how some of the things that they do address some of the concepts I just described.

Paul Anderson:
Yeah, thank you, Chris. Laura, hopefully, everyone can hear me. If there’s any problems with audio, let me know. Couple of things, so I’m going to stay fairly high level, but go into some specific scenarios, and then please let the questions fly in. If I need to cut content short so we get to pick Chris’s brain on what works? What doesn’t? Why are people succeeding? Why are they not? That’s a very valuable use of this time. So, happy to accommodate for any questions that come in.

Paul Anderson:
Something that Chris just said, and you saw our first slide. Security automation. Just to be clear, there are so many different things when people say shift left or automate security or SOAR, security orchestration and response system. We play very specifically in our world… You could almost call it firewall policy change automation. I don’t think that’s headline one on the marketing flyer because it’s got no sizzle, but that’s the part we focus on.

Paul Anderson:
What Chris just says rings very, very true to me as one of the advantages I have in my role of working with somewhere around 150 different customers in a year, all different parts of the globe, different industries, different space, is it’s a little bit of the Wild Wild West out there in terms of how people are approaching automation, or at least specific to the firewall space that we’re in. There’s a few reasons why and I’ll try to talk about those.

Paul Anderson:
The first slide here says two things to me. Number one, someone had the time to put this slide together, and I really hope they screenshot it and cut and paste it, but if not, really good work putting all the logos there. But number two, Chris didn’t say a single word about a band-aid, a magic bullet, throw a product at the problem. So, yes, I know that I specifically represent a product vendor, but it is so important to me when I work with customers or when I’m doing trainings for ourselves, people in our SCs, or when I’m working with our services teams in terms of how they think differently as customers adopt automation.

Paul Anderson:
To put those types of metrics and frameworks that Chris talked about to say, “What’s going to be successful?” Because customers buy technology after technology after technology, and then two years later, they go through an assessment of which ones are they using? Which ones are they not? Which ones can they get renewals for?

Paul Anderson:
And so, if you take a framework or a mindset like Chris and you adapt it to your company, and you try to figure out what’s going to work, you have a significantly higher chance of looking good. If you’re the project sponsor for one or multiple softwares that you purchased or for that automation project, what outcomes are you driving towards versus pitching some sort of vision up to your executives that, “Hey, we’re just going to automate all our process and things are going to be better.” How do you set yourself up for success?

Paul Anderson:
A couple of things specific to our industry, we run a big survey called the State of the Hybrid Cloud. I won’t read a bunch of statistics on the slide. What I read this stuff to mean is everything we all already know that work in IT services, we’re getting pressured to deliver services faster. As soon as people started using their credit cards to spin up servers, executives got the idea that “It should be way easier than my IT department is making it. Why does it take me six weeks to get an application launched when I can literally spin up a server and I can have a developer start writing code to it?”

Paul Anderson:
Well, there’s a lot of good reasons for that, but that’s some of the pressure that we’re under. We live in a world where nobody has patience, and they need what they need right now, and security has the very difficult job of figuring out when to say no. Figuring out if they’re allowed to say no, or just literally getting something thrown in their lap and says, “Hey, go make this compliant, but we’re already live and on the network. And by the way, we put an any-any rule in the firewall and we didn’t have time to figure out what the right policy was.”

Paul Anderson:
Or two the scale and the types of technologies that we now have to deal with. We’re not just dealing with the big firewall vendors. We have NSX firewall rules to deal with. We have Cisco ACI contracts, we have AWS native firewalls, we have Azure native, we have GCP. I get asked about Alibaba, I get asked about Oracle Cloud. At every single meeting, there is a smattering of different technology, which means our skillset has to widen in terms of the types of firewalls that we manage.

Paul Anderson:
The more micro segmentation and the more multi-cloud architectures that we have to service, especially hybrid clouds, where a server for the web app is in the cloud and the database app is in the data center, the more skill sets and expansion of those skill sets we have to have to manage the firewalls. And there’s not a single statistic that says employees staffing for these problems is increasing. So, the same team that managed a much smaller problem five years ago is now being asked to manage a much wider problem. Not take the data center down, not take the service down, not get us breached, and do it really, really fast.

Paul Anderson:
Obviously, that leads into automation. I’ll skip cybersecurity skills. I look at firewall change from two sides. Again, speed and security, but we always try to talk about what are the implications of error. You see a breach, and often it’s a human misconfiguration that caused the breach. It wasn’t a process problem. Someone literally typed and fat-fingered something into the policy that didn’t match what it was supposed to be. And maybe production doesn’t match DR, so when we failover, we don’t have the same service experience in our DR site.

Paul Anderson:
That does not mean that going to automate every firewall policy deployment is going to eliminate misconfigurations, errors, and outages. So, going back to something Chris said, we do meet with a lot of customers that are looking for an automation product to solve all of those problems, and to solve every single scenario, every single type of change, every single type of firewall, every single source of request that comes in.

Paul Anderson:
What I see as more successful, going back to Chris’s model, is a CISO who says, “We had 2.2 outages per day or incidents per day last year due to firewall change. Let’s put together a project to get that number down to somewhere between 1 and 1.5.” Okay, back to what Chris said. Which workflows are we going to look at to automate? Where is the low-hanging fruit? Which part of our process are we going to automate versus literally embarking on a project where we try to boil the ocean, and six months later realize that we’re trying to do everything, and we haven’t really got any further ahead than we were when we started?

Paul Anderson:
I think that is just absolutely critical to understanding the success of automation. Something we see here is causing outages or breaches, it’s not just rogue change. The amount of outages, downtime in SevOne where we’ve already gone through the due diligence of a 14-step workflow, and we sent all our documentation to the customer review board or the change advisory board, and we still have an incident, is the most common downtime issue.

Paul Anderson:
I spent the last five years of my career on the infrastructure side from backup all the way through top-of-rack switches. We had a customer that had literally one SevOne in all of their technologies below the network. I was having coffee with them a year ago and I said, “Aren’t you all thrilled with the fact that your services are always up?” And the VP of IT goes, “What do you mean?” And I go, “We’ve had one SevOne.” And he goes, “We had more than two incidents per day where we had multiple engineers on the phone fighting SevOne, and it was almost always the firewall, sometimes the network.”

Paul Anderson:
So, when we look at automation, at a very high level. Again, not getting into successful adoption metrics, what are the things we’re trying to do? We’re trying to simplify. So, when we have customers come through different projects, it’s either reduce or optimize the FTE hours spent on firewall change. That could be security engineering, it could be SecOps. It could be an architecture team, it could be network. There’s usually multiple teams that have to collaborate with each other in order to get the outcome here. It’s not just one team that owns the process in a lot of cases.

Paul Anderson:
We get others where we need our most mission-critical applications to be able to make changes and get services live on the network in near real time. And I heard an argument between an infrastructure architect and a security network architect once, where the guy said, “I can spin up a server in five seconds. What on earth takes you all so long to get on the network?” And the firewall or network security architect goes, “Unless your server inherently knows how to get on the network and what access it needs, and it can signal that to all of my firewalls, it’s not getting on the network any faster. I don’t care if you can spin it up in five seconds.”

Paul Anderson:
So, there’s a marriage between do we go after the entire process and say, “Let’s do a 20% reduction in human hours, and let’s optimize our FTE hours, and that’s a very legitimate project. Or let’s go find either low-hanging fruit or business-critical processes where offloading those specific workflows or speeding up the business-critical ones either impacts revenue or has an immediate 20%, 30%, 40% driver on the automation metric as opposed to trying to build it through your project to get to 100%.”

Paul Anderson:
Something we look at in firewall change is, and I’ll show you on the next slide, that we believe at FireMon that not all changes are equal. Chris, I think you said something like not all automation projects or processes deserve the same amount of attention. We believe that same thing within firewalls, and when we talk to customers, I’d say about 50% of customers I talk to have very distinct workflows and paths as well as different SLAs that they deliver to the business depending on the type of request.

Paul Anderson:
We talked to a lot of others where every single request no matter what it is, whether it’s a net-new Oracle application that needs to go out to 10,000 IPs or it’s literally adding 10 servers to an application that you’ve already approved and gone through the diligence of allowing. They’re treated the same. They got through the same security review. They go through the same change advisory board planning. They go through the same network operations design process.

Paul Anderson:
And so, we at FireMon, and I believe where we see the industry going is categorize your requests. What’s the trigger? If it’s coming from a SOAR and it’s telling me to go block a bunch of vulnerable IPs, blocking them three weeks later doesn’t necessarily mitigate much risk. So, let’s set up a workflow where that’s a trusted request. Let’s check against existing IP access and make sure we don’t take down the data center by going to block these, which I’ve had a couple of customers tell me they did, and let’s get that one done within an hour, right?

Paul Anderson:
Let’s take this new Oracle application that we have to roll out. Let’s not automate any part of the process with that one. Let’s be as diligent as we need to be, and if it takes us three weeks, let’s make sure that we roll out those 10,000 IPs that need access to our Oracle application properly. Not increase risk. Not increase complexity on our firewall that’s going to cause outages. But maybe when we add 50 VMs because we have a seasonal burst in customers, let’s not take three weeks to add those 50 new IPs. Let’s tag them and say, “This is an Oracle web server.” Give it all the same permissions that all of our other Oracle web servers already have on the firewall.

Paul Anderson:
So, when you see this model, we look at, okay, is it coming from a ServiceNow? Is it a CI/CD pipeline where we’re being asked to do security and design validation and pass it back to some sort of infrastructure-as-code tool? Is it an email, a spreadsheet, or someone bumped into the security engineer in the hall and said, “Hey, please give me access to XYZ”?

Paul Anderson:
And then I mentioned, what’s the data we can take from a security orchestration automation and response tool like Splunk’s Phantom, or Demisto, Phantom, Rapid7 and there’s many, many others as that space is really booming right now? How do we then understand the context of the request? Either because we built templates already on the firewall or we built some sort of concept of… Chris said guardrails earlier. I hear the term golden rules. Certain things we always allow or always deny.

Paul Anderson:
And based on that logic, does it now need to go through a five or 18-step workflow? Or is it something where we can say, “Hey, the bot or the template or the compliance engine already authenticated that that request is valid and something that we always approve. Let’s go ahead and push it down to deploy. Either continuous and real time, scheduled or on a Saturday night if that’s the change window, or wait until someone has to manually push it”?

Paul Anderson:
And then let’s continue to monitor that policy. Let’s not just set up an alert if someone puts an any-any rule in the middle of an approves policy on a Wednesday. Let’s go ahead and set it up to be switched back so it doesn’t rely on a human engineer, and I don’t wake up in 365 days and go, “I didn’t know how an any-any policy in here. Why is it in the middle of an approve policy? And if I kill it, what services am I going to take down because I don’t really remember why it’s there in the first place?”

Paul Anderson:
We take that, and then we start to look at levels of automation. Chris talked a lot about tiering or your maturity level, and I love that approach. The way we look at firewall automation is, “Okay, so let’s look at your organizational maturity,” which is the model that Chris used, which I think Forrester’s doing a great job of. We’ve seen it work in infrastructure, and tied up infrastructure projects that succeed or fail.

Paul Anderson:
But now let’s also look at your workflows and back to your types of requests and what’s the risk score or metric on those requests? And let’s say certain workflows are a level four, and certain workflows are a level one. Or there’s a bunch of mid-tier work that only needs one review instead of five because it’s low risk. Or anything that’s in a dev environment doesn’t need the same amount of attention as anything that’s going to go into production network over an HTTPS service.

Paul Anderson:
We looked at not just your organizational ready for adoption of automation, but also based on your existing process, can you take your existing process, wake up tomorrow, and all of a sudden just have a software automating every single change? Absolutely not. But can we find some low-hanging fruit to get you to a 30% within a reasonable amount of time as long as we collaborate? Absolutely.

Paul Anderson:
Here’s a good question from the audience that I’ll weave in. It says, “It seems like high-level organizations are trying to make their applications platform or environment agnostic so that it can work internally or in the public cloud. Can your tools support multiple configurations using the same front-end automation process?” The answer is yes, asterisk.

Paul Anderson:
I’ll jump ahead to a slide that gives a little bit of… This is a little bit of a noisy slide, but if you look at the bottom here, we believe that in the firewall space, everything is dependent on everything. The network spans many reaches. Unlike a server automation project where if you mess it up and then you find out that that server didn’t build the right build, you tear it down, you kill it, you build a new one. That’s kind of the DevOps mentality, right? If something’s wrong, don’t spend a bunch of time on the 1.0, jump to the 2.0.

Paul Anderson:
We don’t always have that luxury with firewall change. If we mess something up, there might not be an immediate rollback. So, we want to put controls and guardrails and checks in place as part of our automation approach, not just, “Well, we messed that one up. Pull it back.” So, step one to that, there’s a lot of automation software out there that push configuration changes to cloud, micro segmentation, or on-prem firewalls. And that’s fine, we can replace some of those, or we can use those as part of our chain that we’re going to automate and pass the ball to them where they do well.

Paul Anderson:
Your question about multi-cloud, number one: in the firewall world, I don’t really believe I can truly automate things effectively unless I have visibility of all your different firewalls and all your different policies on those firewalls and existing access. So, we do have integrations into all the major cloud providers, the majority of major data center providers, NSX, ACI that give us visibility into those existing firewall policies. So, anything we automate is going to calculate the current state as opposed to just a software script running a command.

Paul Anderson:
But 202 of your question I believe is cloud migrations never go as fast as they’re intended like Chris said earlier. So, next thing you know, an entire application’s not moving, but the web servers are going to AWS, but the SQL servers are staying in the data center. Or a net-new application is spun up and I don’t have any problem building the firewall policy using Terraform direct to Azure, but if it’s a high enough security policy within a financial organization, I’m required to go to a DMZ.

Paul Anderson:
And so, now I have a server that I can build in minutes, and I have to go through a pair of checkpoints, and it’s going to take one day to three weeks for that team to service my ticket, and that’s assuming they don’t have any questions. That doesn’t work for my deployment model.

Paul Anderson:
So, the answer is yes. The asterisk is we need to look at the different features you’re using within your technology, and the best way to deploy our software to where you get all the value out of your existing firewall, and then you understand how our automation software is going to work with those and marry that goal. Hopefully, that’s a good answer. But the answer is yes, and hybrid cloud adds a lot of complexity.

Paul Anderson:
One more piece on that too. Migrations have a very high sea level target of moving a specific amount of workloads let’s say into Azure because my company signed a $45 million enterprise agreement and six months later, we realized that we only had 1% of our production applications in Azure. There’s going to be a drive to move those out. One of the bottlenecks after you figure out what connects to what? And you figure out is SQL going to run well in Azure? Even though it’s Microsoft and Microsoft, that’s not a given.

Paul Anderson:
I now have to ask my network and security team to rebuild new policy out there. And then I have to decommission it from the old firewalls that I have there. So, depending on what level of automation you adopt with FireMon, if we can see all those policies in the old data center when those new servers are spun up, if you’re using tags and templates and things of that nature, we can rebuild that new policy out in the cloud. Have the same level of compliance that you had within the data center, and also know either to flag or to automatically remove the IPs that are no longer active in the data center, which significantly reduces your time and audit prep for future clean-up projects.

Paul Anderson:
So, hopefully, that answered the question. The reason I rambled and the reason I went through a few different scenarios is there’s a lot of things to think about, and the key is let’s map out what your goal is, what your existing environment is, and then which part of our solutions makes the most sense to help you on your process.

Paul Anderson:
Someone said, “Does this support configuring Palo Alto App-ID fully?” I will hold off on saying yes or no on that because I’d like an engineer to say something on that specific feature. What I do know is we can account for the Palo Alto App-ID in some of our automated policies, but in terms of the exact scenario you’re asking, I don’t want to just jump on here and say yes or no. I’d say that’s a great question if you want follow-up. I believe there’s a way to request that or there’s… Laura, is there a way to make someone who asked a question visible where we could just have an engineer get them an answer very specific to their question?

Laura:
Yep. We’ll follow up with this person after the conference today.

Paul Anderson:
Cool. Well, there’s a lot more else I could say. I’m going to wrap up with two things. Again, we get a lot of customers looking at us. They go, “Hey, we have an RFP, we have our project defined.” And then they ask us every single different type of scenario. Every path, every route, every firewall. “For 30,000 changes a year, can you solve this?” And sometimes the answer is yes. Sometimes the answer is no. The answer is always, “We need to learn a lot more.”

Paul Anderson:
But where I see people successful is when it’s a metrics project. When you’re not trying to boil the ocean. You go, “We’ve automated less than 10% in this space. Why don’t we try to get to 30%? Which workflows can we use to get to 30%? And once we get to 30%, let’s build the next project to get to 70%, right?” So, I think that plays very well with what Chris covers, and we see a laggard approach to firewall automation because unlike servers, you can take a lot down, yet we can still take the good from the server automation process. The successes that RPAs have. We can look at the good of that and then we can adapt it to what we need to do in the firewall automation world. So, I’ll leave right there. If we have any questions, Laura, please, or Chris, please feel free to chime in.

Laura:
It looks like we have a couple for Chris here, so we’ll start with those. And then everyone you can go ahead and just add your questions as you think of them here. We’ve got about nine minutes for questions. So, Chris, this question is, “How do I raise my RQ?”

Chris Gardner:
It’s funny because it’s not a situation where you simply read a lot of books or attend a lot of therapy for EQ. RQ is not necessarily an individual maturity level of skill set. It’s actually your organization. So, what I suggest folks do to raise your RQ is, again, look at these nine dimensions. Start mapping out your automation and realize that not every single type is going to need to have the same priority level.

Chris Gardner:
Once you’re able to do that, then you can start transitioning that information to the folks that will do the implementation itself, and update those skill sets. Because I think what ends up happening is people do it backwards. They say let’s make all these folks developers, which is great, but then they don’t actually go through the exercise of figuring out exactly what types of things they were supposed to automate and which tools they should use. And then people get skill sets in one type of technology and not another.

Chris Gardner:
So, roundabout answer to say that understand, again, the dimensions. Do the priority efforts within your organization, and then do the skill set uplifting that you ultimately will need to do.

Laura:
Right. I have another one. This is a good one. “Where can I find staff for my automation strike teams? Can I pull from within?” And Chris, this one’s for you specifically.

Chris Gardner:
Yeah, so I always encourage pulling from within. I’m a full supporter of leveraging the skill sets and the expertise of the folks that are there, and quite frankly, they’re going to know better than anyone about what should be automated and how quickly it can be. That said, I’m realistic. You do need to bring in some outside talent, especially if it’s in automating an area that you’ve never done before. Say you’re just now getting involved with multiple cloud. Everybody at this stage has at least one cloud they’re working with, one hyperscaler, but now we’re seeing a lot of folks have multiple hyperscalers.

Chris Gardner:
You might want to bring somebody in and say, “This person knows about the abstraction layers that connect these pieces. This person knows about infrastructure automation platforms to connect all the various pieces.” But not pulling priorities and effectiveness away from the folks that are on the ground. Again, be realistic about it. Do the assessment of the folks and say, “Do you want to be involved in this new world that quite frankly you’re going to be doing a completely different job? But you’ll be hopefully doing a lot less grunt work.”

Chris Gardner:
Often what ends up happening is that people will say yes, and then it’s just a matter of getting those people to the position of power and influence they need in order to execute automation strategy decisions.

Laura:
Great. Thank you. Paul, this one is for you. “Can I deploy multiple levels of FireMon automation, or am I limited to just one?”

Paul Anderson:
Yeah, good question, and maybe I’ll let Chris add his spin because when he was talking, we got a bunch of five stars coming in, and then a couple of fours have showed up. and if we drop below four then we don’t get to drive for Uber anymore. I believe that’s how it works. The answer is yes, and it goes back to what I was saying about not all workflows are equal.

Paul Anderson:
Let me think of a very simple example. We have a compliance engine where you can set… Similar to a chatbot almost. You can set it to pass, fail, or needs review. I might hard fail anyone who’s requesting Telnet, but I might send something that needs review for someone who’s requesting a service over HTTP.

Paul Anderson:
We don’t love using HTTP at this organization, but we don’t always deny it. So, figuring out what do I build as an always allow? What do I build as an always deny? And the way this plays out with customers, Laura, is again, everyone from, “We want full automation,” to, “We’ve been doing firewalls this way for 25 years and here’s why, and automation’s not going to work for us.”

Paul Anderson:
And so, then it’s like, “Okay, you’re on the security engineering team, right? Do you review every request? Do you review 50% of the requests? Do you review the requests after they get implemented and clean them up?” If someone says, “We review 100% of the requests.” Okay, when you leave that meeting, do you ever say, “If I never see a request for X to talk to Y again, I’ll die a happy man”? And they go, “We always approve FTP to talk to FTP, yet we still review it in every meeting.”

Paul Anderson:
Great, let’s start there. So, let’s put a high level of automation, always allow. Put some general compliance guardrails around. By the way, does your organization already have out of the box compliance and best practices standards that we can build in, or do we need to spend some time putting some basic ones in, and then you all build more and more in as you go?

Paul Anderson:
So, the long answer to your short question is yes. We can do multiple levels of automation. And again, we always… Well, not always. We very often look at what is the workflow? What’s the context? And based on that, what’s the risk? Based on all that, what level of automation does that process get, and then how do we sell that up the chain to where everyone looks like a hero as opposed to overselling the solution and then looking like they underachieved, right?

Chris Gardner:
Yeah, I would add that’s well said, and the little color I would add to that is this is as much a change management discussion as it is an automation discussion. What I often run into is people want the change management board convened for every little change because they want the audit trail. But there’s nothing to say you can’t have a significant audit trail with the automation itself. As long as I know who pointed the gun, who requested that the gun be fired, and when this gun was fired, and how it was fired, I’m good. And I don’t need to convene 60 people to make that call.

Chris Gardner:
Once people start doing this more often, they actually realize this is a far better solution. Not just from an efficiency standpoint, but just a risk management standpoint because it turns out that every major… If you look back at the last six years or so, every major cloud outage has been done not because of some automation, doing something screwy, but because somebody got the approval from a change management group and executed a manual change that was flawed.

Chris Gardner:
So, I’d much rather we automate this, and again, we have the audit trail and the automation to continue to convene these boards that are gigantic. One other thing. I’m actually glad we got one or two four stars because if I see only five stars, I know it’s not real. The same way if I get into a car with an Uber driver that’s got fully five stars, I’m like, “This guy started today.” Anyway, I think we only have a minute or two left at this point.

Laura:
Yes. So, we at this point want to go ahead to end, and we did have one final question asking for specific use cases around risk and change from FireMon. So, I’ll follow up with you, Paul, and we can get an engineer to answer that as well. But I think we’re at time, so Chris and Paul, thank you so much for your time today. And everyone, we will be sending out the recording of today’s webinar as well as a link to the assessment, the full assessment that Chris went through. Thank you all and have a wonderful day.

Chris Gardner:
Thank you.

Chris Gardner:
(silence)

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO