Business Automation is Great – But Some Things Should Be Left to Humans

As we see an increase in cyberattacks, it’s more important than ever for companies to be able to identify and respond to threats. Tools like AI can provide some business automation and help deal with the volume of monitoring most companies require. But human oversight is still essential.

See AI, Automation, and the Future of Cybersecurity with Michael Lyborg for a complete transcript of the Easy Prey podcast episode.

Michael Lyborg is the Chief Information Security Officer (CISO) at Swimlane, a company that focuses on AI’s business automation and cybersecurity implications. He has been with the company about seven years, and he mainly works with larger enterprises and government clients to assist with their automation and overall experience. Before Swimlane, he did security work at various companies. He also did some networking work in the early days of routing and switching, and worked under the Department of Defense as a US Marine.

Getting Into Cybersecurity

Michael’s interest in computers started early. As a child in Sweden in the early 1990s, he broke his dad’s computer. His dad told him to fix it. So he learned. He did a few internships working with computers in Sweden and in the U.S. while going to school, and landed a job right after graduation fixing computers, monitors, and printers. For a while, he worked on remote access and network services, but he kept working on the more hands-on aspects, too. As technology continued to advance around the globe, it became a bigger piece of everything, both operationally and tactically. The Marines kept needing people who knew how to work with technology, and Michael kept volunteering.

As he wrapped up his tenure with the Marines, he had to decide if he was going to become a contractor with the U.S. government, or try to get back into network security and cyber information systems. He picked the latter, and it’s never been a dull day since. His military background and experience with the hands-on aspects of technology became very useful.

In the U.S. military, there’s a concept called Operational Risk Management. Everywhere you go and everything you do, you conduct some sort of threat assessment. Depending on what you’re doing, it could be limited or large scale. But it looks at what the enemy is most likely to do and how you can mitigate that. It’s also a really helpful mindset in private-sector cybersecurity. Gap analyses, fields of fire, what you can protect, where your center of gravity is, what happens if your primary, secondary, or tertiary backups fail, what are your contingency or fallback plans – all of these areas are great for looking at business cybersecurity and finding ways to improve.

Fraud is Everywhere

Like everyone, Michael and his family do a lot of online shopping. Being a security guy, Michael has a lot of network firewalls at his house and over his wifi network. While traveling in Europe, he got a notification that his firewall blocked an IP address. It turned out that his wife was shopping online and had attempted to send a payment to a fraudulent website.

That’s a success story. But we all have stories of times when fraud and scams got through. You can do a million things right, but it only takes one mistake or oversight to have terrible consequences. Phishing is real, and Michael has fallen for it. From a personal perspective, he’s fortunate that he doesn’t have any major exposure that he knows of. Most of his information that’s out there is because of public breaches. And there’s not much you as an individual can do about that.

We can do a million things right, but we do that one thing less than ideal, then we have other outcomes.

Michael Lyborg

Technical controls really help to limit some of these risks. Even on a personal level, a family doesn’t need access to everything in the world. There’s always going to be risk. You can’t stop everything, whether in a personal or business context, because work and life still have to get done. Every control introduces some level of friction. But a measured approach with incremental improvements can be huge.

Controls Versus Friction in Business

Every control or safety measure you implement is going to add some measure of friction. It will slow things down or make things harder in some way. This is the intended point. But that means you can’t jump ahead and totally lock things down in terms of security. It may be extra secure, but if productivity goes way down, that might be way too much for your business. Can you stay in business if it takes everyone three times as long to do what they need to do? For most businesses, probably not.

It’s easy to implement technical controls to restrict and try to help mitigate some of the risk.

Michael Lyborg

You don’t have to jump ahead to total lockdown, though. Implementing smaller, more incremental technical tools can go a long way. Part of it is managing relationships in your business, from the stakeholders down to the people on the floor at your manufacturing facility. Look at your population when you test something. Ideally, initiate something with a smaller test population first to get reactions and feedback. It’s human nature to go with the easiest thing, so you may get pushback just because the control is new and harder. Take the time to ask how they would prefer to do this new security thing, and evaluate from there. Business automation can also help to implement these things faster and easier.

How to Implement Business Automation

The tasks where business automation are going to have the most benefit are those with high volume and low risk. Automation is great at dealing with repetitive tasks and managing a high volume at a quick pace. When you use business automation to manage these kinds of tasks, you get back the one resource you can’t buy: Time.

But when you add automation to your life, whether personally or professionally, it’s essential to test it. A system doesn’t do you any good if you have no controls to let you know when it stops working. When implementing automation, thinking through the questions of what happens if it fails, who gets notified, and whose job it is to fix it.

Make sure you test it, too. Ensure signals are getting in and out and reverse-map everything. And consider what happens when something goes wrong. Years ago, Michael worked with a client who had some very complex automations to help with an important report. Someone thought it was a good idea to bring in a bunch of low-fidelity data and set up some IP blocks. They ended up entirely cutting off one of their own network segments. The quality of the information going into your automation matters.

High quality information in will let you automate more effectively, without undesirable outcomes.

Michael Lyborg

It’s essential to review your business automations continuously. Automated monitoring (yes, more business automation!) can help with this. It can put up a notification when something has changed, that needs review. Documentation is also really important for automation. Depending on what systems you have and how they’re working, it can get really complicated, really quickly. Documentation can help support the work you’ve done if and when there’s a problem.

When Business Automation is a Bad Idea

Not every business function is a candidate for automation. Risk-based prioritization is important here. Remember, the best tasks for automation are ones that are both high-volume and low-risk. The higher the risk, the more likely it is that an automated process will make a bad decision – and the more likely it is that bad decision will have terrible consequences on your business. Instead, set up systems where anything that might need a decision or that is anything other than completely obvious gets escalated to a human reviewer.

A good start to helping you make these decision is to map out the data in your business. Know if a data source is a VIP user, a high-value asset, or another type of data. And set up different restrictions based on priority. Customer information, for example, should be confidential, while financial information gets moved up to restriction. This makes it easy to contextualize.

Don’t immediately try to automate new things, either. Whenever you have a new data source or a new process, let the people working with it have some time to understand how it works and what it entails before deciding if it should be automated and how much. Especially with complicated things like API keys, rotating authentication, and authorizations, automating too quickly and without proper consideration can have huge and costly downstream effects.

Business automation is not a way to get rid of your human employees or stop working. It’s a tool for reducing or eliminating the mundane, repetitive tasks that businesses require to keep running. When you can automate those, you free up employee time to do other things and keep people from getting tired and frustrated with monotonous jobs. That’s where the real business value of automation lies.

Using AI Automation in Business Cybersecurity

If you’re using AI as part of your business automation for cybersecurity, it’s essential to remember that an AI is only as good as the data set it’s trained on. Maintaining high-quality data sets is critical. It’s also important to remember, as has been mentioned several times, that not all tasks are good candidates for automation.

There are some security-related tasks that lend themselves really well to AI, though. It’s great for monitoring and for creating summaries of reports and meetings. It can often help with translating complex and technical explanations to non-technical people, like board members. For teams working across language barriers and time zones, it can help everyone stay on the same page and up to date.

It can also be used for simple guidance on issues. If something has been sent to a junior analyst for triage, having common processes and lessons learned from previous investigations available in an AI can help that analyst make better, faster decisions. And it’s great for doing important but tedious data management. Rather than having a person spend hours integrating data from thirty different sources, creating pivot tables, and making everything look good in a report, AI can take all of the data and spit out those insights and graphic representations. A human should still double-check everything to make sure the AI is accurate, but that’s still much faster than doing all the work themselves.

The Future of AI Automation in Business

AI is really starting to see mass adoption. It’s hard to walk ten feet without bumping into another company using AI. So we’re seeing the different ways companies can use it and business automation can integrate it.

We’ve also seen huge advancement in virtual analysis. That doesn’t mean you can automate everything and trust AI to replace your business processes. AI isn’t there yet – and if anyone promises you that AI can fully replace your business processes, run in the other direction. But AI can definitely speed up that analysis and give humans more data to make better decisions.

AI isn’t enough on its own, though. Prioritizing, figuring out what went wrong, and remediating the problem still require human intervention. You have to match human intelligence to your business process. Blindly trusting AI without controls is a terrible idea. That may change in the future, but right now, it still needs human oversight.

Just having AI on its own isn’t really going to solve the problem. … You have to couple that with human intelligence.

Michael Lyborg

Swimlane sees real value in a combination of human and artificial intelligence. The best results come about through that unification. You can buy the best platforms in the world and call that good enough, but without human intervention, good enough might not be good enough. The real value in business automation is in that combination of automation freeing up the time of brilliant humans so they can be brilliant.

Learn more about Swimlane at swimlane.com. Connect with Michael Lyborg on LinkedIn.