- Unsupervised Learning
- Posts
- Policy, SOPs, and AI Are All You Need
Policy, SOPs, and AI Are All You Need
How AI-powered Policy and SOPs will soon run teams, departments, and companies
I think InfoSec—and in fact business management in general—is evolving into the combination of four things:
- Policy (entity identity/goals)
- State (assets, configuration)
- SOPs (approved execution pipelines)
- Action (Humans/Automation that merge State/Policy)
So essentially we have:
1. Leaders who determine Policy
2. AI that gathers State from everywhere
3. Everything is done according to SOPs
4. SOPs are regularly updated
5. GOTO 1.
A few things to note about this:
1. Security becomes part of the building SOP, and stops being a separate process
2. The only real part of this that remains human—in the longterm—is #1, which is where the core ideas are determined and set as strategies.
Everything else becomes the execution and implementation of those ideas.
Which is still hard work in many cases—but AI will get better and better at that over time.
This is why the ideal (and perhaps only safe) place for humans is coming up with the ideas and starting businesses to implement them—mostly using automation.
I challenge you think about all jobs in this way.
Like software security.
What happens when software is only allowed to be built using X components, and Y frameworks, with Z controls?
And automation builds most of that software and tests it continuously to take sure it’s in that state?
Ask what part of the job is actually just the result of the actual thing not being done properly in the first place according to an SOP.
This has been promised for years, and it’s not happening tomorrow.
But we can now see what that would look like if software can build software and can also validate that it was done using the approved SOP.
Everything is a pipeline. Including the building and validation of software.
The human part is the desire to build, and the ideas for what to build.
Much of security comes down to things being built or implemented the wrong way, and there being nowhere near enough people or time to clean up afterwards.
Things are very different when automation can make a big dent in both.
So as a security person—or someone considering getting into security, which part of this do you want to work on?
- The automation to safely build?
- The automation to test what was built?
- The automation to fix the issues that are found?
- Or the Human version of that automation before the automation is invented
- Or the definition of the SOPs
- Or in the creation of the original business idea and product
Think carefully about where you want to be in this ecosystem.