I’m involved with a number of teams and projects who have all drunk the automation kool-aid. Now, to be clear – I’m not against automation. I’m thinking here about the use of DevSecOps stacks/Infra as Code etc. We’ve all no doubt been involved (either as the initiator or a bystander) in incidents caused by the incorrect command, wrong host etc etc; therefore – as a general statement – automation is a good thing.

In addition to speed and the obvious prevention of fat-fingering, and the need for humans to have access to secrets/passwords – there is a security positive in automation that revolves around the inability of people to do things maliciously without being caught. By which I mean, if automation seemingly breaks – then that’s generally a reason to look more deeply into a problem. The value of this is likely to depend on your vertical.

However, the automation issue is becoming challenging in two ways: (i) the way those teams are thinking about their tasks and (ii) the attitudes automation is bringing to activities more broadly, e.g. those tasks which cannot be automated.

Taking the first point – I’m seeing this impact the way people see/interpret the task needed. There is a method of ‘creating some tickets’ to get folk to do things. This is fine as a way of tracking work, but there are two further issues with this. Firstly, it leads people to just treat these tickets as isolated tasks without context and understanding, secondly that those tasks that need collaboration and discussion are focused on closing the ticket in accordance with some SLA, to move on to the next thing rather than get to a successful solution.

Secondly, and this is probably more related to general perception of value – is there is an emerging viewpoint that could be summarised as: “if it cant be automated – we shouldn’t be doing it”. Which I find the most maddening of positions. To my mind, the outcome should be “automate as much as possible, to realise our precious people resource to do the work that cannot be automated”. In this bucket, I place real (security) architecture – not just slapping some diagrams together, then batting-away anyone that questions your (lack of) decisions.

Put more succinctly, if the work is of true value – why automate it? It needs the best possible brains…