Automation, Organisationand the Joel test for the rest of us

I've noticed that PR pieces talking about cybersecurity have been increasingly using the term "automation" as well recently.

There are a few explanations: that the amount of data that an effective Intrusion Detection Systems needs to ingest and respond to, and timeframe required for a response, has outgrown any human abilities so automation is necessary (when has that not been the case?), or perhaps - the more interesting idea - that infosec by itself doesn't sell, but infosec plus generally slicker IT operations does.

Information security is often seen, with some justification, as a tension between workers and asset owners. Workers generally want to do their jobs more efficiently (and to play $CURRENTLY_POPULAR_GAME in their newfound downtime). Many office tasks are amenable to automation - and they're best done by the person currently doing it, since they know the spec.

In full-on programming circles, you may have hear of the Joel test, a quick-and-dirty set of 12 questions that rank how mature your coding shop's development processes are. They're not complete, and I believe the author has published an updated version, but the concept is there - your org almost certainly is not special enough to exempt yourself from the best practice. My aim is to develop similar for office shops.

To that end, I propose the following buzzfeed-style survey to ask your organisation about how to accomplish the following, common task:

* Once a month, download a spreadsheet from a well-known website. There is no authentication step, and the address is known in advance.

* Do some basic trending with the data within, and data from previous months.

My partner is trying to automate this currently, I've done it before, this sort of task occurs almost everywhere. Doing this should require as few clicks/keystrokes as possible: ideally *zero*.

How would you like to see your org respond?

I've separated this into three parts: developing, deploying and maintaining.

Developing the script

---

1. Here's a Python interpreter/Powershell with a network connection. Go nuts.

2. You can do this with VBA, which you can write and run VBA yourself.

3. You can do this with Excel, without VBA, which you don't have enabled.

4. IT will, if requested, set you up with a Data Science environment that can do this later this week.

5. IT will set you up with a Data Science environment later this year, if you can specify the *exact* executable you want installed.

6. You will require a custom, outsourced solution, which may be delivered by end Q4 next year.

Deploying the script

---

1. You can run this script in $ENVIRONMENT yourself, on a laptop;

2. You can run this script on some form of deployment-grade server or cloud service;

3. As above, with some form of peer-review apparatus first;

4. You can run this script with central IT approval, who will respond quickly and catch obvious errors and evil input;

5. You can run this script with central IT approval, who will respond slowly and miss obvious errors and evil input;

6. we outsource it - Script-as-a-Service

Maintaining the script

---

1. This script won't work next leap year. Good luck future me!
2. Our department maintains a list of scripts and who is responsible for them, and requires employees to write documentation and handover notes;
3. As above, but we actually do it; we also require version control.
4. IT maintains the script for us, and collaboratively develops documentation/handover/version control
5. We contact the actual developers.
6. The actual developers closed shop in 2003; now we just pray the server never goes down.

Thoughts on a postcard.