Get Started

Automate That!

  • 4 min read

Share this post

Robots on an assembly line building a paper document Statement of Work
Robots on an assembly line building a paper document Statement of Work

“Rob, we have another prospect that needs a Statement of Work (SOW).”

I should be excited; a new prospect is interested in our services. But argh! I hate writing the SOW. 

So many things to get wrong: legal company name, mailing address, payment specifics, which services we agreed upon in the discovery call. The list goes on and on.

I think I’ll just delegate this to my team. But… it still won’t be right because they will have the same problems. 

Little of this process or the SOW is complicated, but it’s not one-size-fits-all either. There are always customizations. Which means that without being fully aware of what was discussed, the best someone else can do is get it “close to right.” And close doesn’t cut it.

So, I finally sat down and wrote an automated script. Now, all I have to do is enter the specifics for each prospect into a spreadsheet and my admin can run the script to create the SOW. 

Wow. What used to take me an hour of inputting and checking takes just 10 minutes! That leaves me with more time to focus on higher level things and (added bonus) our SOW is now super-consistent and accurate.

vciso ebook

Automation Will Set You Free

Manual processes take time and are prone to mistakes. And even the most diligent employees get sick and go on vacation (and occasionally borrow your coffee mug from the company lunchroom). 

If you create reliable automation, you can leverage it daily until the elements of your process change.

Plus, it’s much easier to automate tasks than when I got my Computer Science degree in the 90s. Back then, I literally had to look up how to do technical stuff in books and magazines. Today, it’s mostly a question of which resource to use: Google? StackOverflow? ChatGPT? Online documentation?

As for which types of processes are a good fit for automation, we look for things that are…

  •  Consistent(ish). You want processes that repeat in the same way. Things like running reports or closing your books at the end of the month. Even if a process is 80% consistent and 20% creative, you can still automate the parts that don’t vary.
  • Time-consuming or error-prone. The more a process is characterized by one or both of these things, the more worthwhile it is to automate. (Otherwise, why bother?)
  • Cost-effective. The cost of automation should be significantly lower than the cost of having an administrative person do the same work. Don’t spend a million dollars automating a process that somebody can do for $15 an hour.

Opportunities for Automation Are Everywhere

I asked my team to suggest situations in which automation would be valuable for our clients’ cybersecurity programs – they came up with more than a dozen in about five minutes. Here are just a few ideas to get you thinking about automation’s application in your organization…

Employee On-Boarding and Off-Boarding

For new employees, this involves ensuring that each person is given an appropriate level of access for all systems based on their job responsibilities. It ensures that a custom, human set-up doesn’t give someone too much access (a security flaw), or too little access, thereby preventing them from doing their job.

Employee off-boarding automation is valuable because it is difficult to find all the systems that users have access to. (Leaving former employees in systems is potentially dangerous.) Automation can go through all of those systems and turn off access quickly and accurately. It can report on what was completed or what failed. (A human can complete any non-automatable steps.)

Scanning

Many of our clients perform automated security code scanning of their code when it is checked into source code control. Automated scanning has many benefits:

  1. The code is evaluated for security. 
  2. All of it is scanned, giving the company a chance to find vulnerabilities.
  3. It provides timely feedback to developers when they are writing the code, rather than months (or years) later when the developer has forgotten what they were working on or is no longer in that role.

Infrastructure-as-a-Service (IAAS) platforms such as AWS and Azure have environment scanning tools that companies can turn on. These tools can provide invaluable data on how to better secure one’s environment.

Backups

This one is obvious, but critical. Harmful things – whether as the result of bad actors, natural events, or human error – have a way of occurring right after somebody forgot to run the back-up.

Automated backups run on time, every day/week/month, no matter what.

Patching

This one falls into the “it depends” zone. 

Automation can and should be used to deploy patching, but there has to be human involvement in deciding what to patch:

  • Has the patch been tested? 
  • Can the target system be brought down safely? 
  • Are we working on something else that will require us to bring down this system soon, providing a better time to patch? 
vciso ebook

Trust But Verify

Automation can be tremendously beneficial, especially for a small company where resources are limited and processes tend to be less formalized. (I can’t believe I waited so long to automate our SOW process!)

But don’t take your hands off the wheel too fast; counting on automation to make decisions in an uncertain environment is not practical (yet).

Gotta run. I tried to use a homemade robot to automate tonight’s dinner on the grill and my wife is on the phone asking if I know where the fire extinguisher is.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black
Rob founded Fractional CISO in 2017 and has helped dozens of mid-size SaaS and technology companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).

Tales From The Click

Sign up for our monthly newsletter for business leaders on minimizing cybersecurity risk.

Suceed at SOC 2

Free eBook:
5 Things to Know for your First SOC 2

  • How to scope your SOC 2
  • Estimate the cost and length of your SOC 2
  • Prepare for your SOC 2
  • Manage the SOC 2 audit period
  • Leverage your SOC 2 for growth

Related Posts

Just Show Up

Rob Black

What to Know About Encryption Now, at the Dawn of the Quantum Era

RJ Russell

What Is ISO 27001? (And Why It Matters for Growing Companies)

Rob Black
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales
Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.

Learn:

  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales