One strategy that organizations can use to help offset some of the inherent asymmetry in keeping technology secured is to make extensive use of automation to support security practices.
That means if you’ve automated a task, you don’t need boots on the ground for the work to get done — you can redeploy that staff to some other task.
Sometimes organizations need to make cuts.
So, compared to manual controls, an automated control potentially is more resilient when voluntary attrition or staff turnover occurs, and better insulated against budget reductions.
Specifically, it involves understanding, in order of increasing complexity: what specific controls you have in place; what they do; how they’re operated; the costs involved in using them; and what you’re missing, based on your overall risk profile.
However, only the most mature are likely to have assessed their risk profile, and the threat landscape that helps comprise it, in a useful, ongoing and systematic way.
They might inform their analysis based on staffing considerations (who’s hardest to replace), skills those staff members have (what they can otherwise do if an automation investment is made) and so on.
At the end of the day, though, the question isn’t necessarily whether you automate control X or control Y.