More than four fifths (82 percent) of UK CEOs see technological advances as the main global trend which will transform business, yet in the rush to achieve digitally enabled change, the constraints of current security models and thinking risks fundamentally jeopardising the business.
When organisations are faced with wholesale and expensive security redevelopment to embrace the cloud, extend the capability of a remote office, support flexible working, or even upgrade data centre requirements it is no wonder corners are cut and security postures compromised as a result.
Despite the ever increasing threat landscape, the vast majority of organisations appear to need little incentive to side step essential security requirements. While firms clearly understand the devastating financial and reputation implications associated with breach – Equifax or Deloitte anyone? – senior management persist in pushing back on the cost of essential security investment.
While the vast majority of organisations now accept that digital transformation is the key to continued business growth and development, and accept that the way in which IT is both deployed and secured is now vital, there remains a fundamental disconnect. For when the CIO goes to the board with the plan to move part of the infrastructure into the cloud, or upgrade the connection between remote offices and the data centre, more often than not the security aspect of that business critical investment gets watered down – at best.
Why? This is not just an issue of corporate mindset – in many ways the security market is culpable. From rigid products and architecture, to inflexible payment models, the way in which security is presented to the market is making it far too difficult for the board to recognise – let alone invest in - a solution that supports both today and tomorrow's business strategy. In consequence, at best corners are cut and security postures weakened; at worse organisations simply carry on with their digital transformation plans with the hope that at some stage it might be possible to retro fit security.
Organisations need flexibility and agility to ensure security can grow in line with business requirements. What they are being offered, in contrast, is a set of rigid product offerings that will only work if the infrastructure is redesigned to fit. Furthermore, there is no scalability, no way to cost effectively and securely expand or upgrade the underpinning infrastructure. Instead, organisations face an unpalatable choice: pay a premium for a future-proofed solution today, despite the fact the capacity may not be required for several years, or accept the need to re-engineer the environment with every upgrade.
This is completely unacceptable – and certainly gives the CISO no ammunition to combat a cost-sensitive board wanting to water down security investment.
What organisations need is encryption with built-in growth capability; the ability to handle evolving business objectives not just in the short term, but in the short, medium and long term. A ‘pay as you grow' model based on a solution that is implemented once and can then expand to meet an organisation's business requirements without re-engineering and without financial penalties.
The key to achieving this ‘pay as you grow' approach is to move away from the traditional rigid security product model that is tied into the infrastructure. Security embedded into firewall, router or switch, not only lacks flexibility and product features, but organisations often incur serious performance penalties when the encryption is switched on. The performance dip then prompts a demand from the infrastructure team for an upgrade sooner than originally anticipated – which then prompts additional security upheaval. And the unhealthy cycle continues. What was a five year investment has to be ripped out in two – and the CISO is facing another board level battle.
In contrast, by embracing an overlay approach that decouples security from the connectivity infrastructure, it is simple to upgrade and evolve security at every stage – whether that is between data centres, between data centres and remote sites, even data centres and the cloud. Once in place, an organisation can begin to enforce a security posture that reflects business requirements and accurate risk assessment – not the limitations of a rigidly defined security model.
Furthermore, by decoupling security from infrastructure organisations are able to adopt the zero trust security model that is increasingly critical to today's business strategy. When organisations do not own the cloud infrastructure or the public networks used by flexible and remote workers they have to assume zero trust: to achieve access, a user needs to both see an application and be permitted to use it. By taking this model and securing it using expandable and scalable Layer 4 based cryptographic segmentation, an organisation can embrace zero trust irrespective of infrastructure, of data centre locations, new cloud deployments, and / or the desire of workers to hang out in the local coffee shop.
When trust is built on the users and applications – rather than the infrastructure - organisations can embrace a far more elastic security posture that can be adapted rapidly into new environments. In addition, this decoupled model can – and should – be deployed across owned infrastructure, extending the zero trust concept and moving all aspects of the security posture from networks and infrastructure towards applications and users.
The CISO today is facing an unwinnable battle – security products are too rigid, costs are too high, risks are too great. While there is no doubt that mindsets need to change, that organisations need to stop side-lining security, the security industry must also make a fundamental change.
Today's business models are too fluid to be constrained by infrastructure led security models – the result can only be financial, operational and risk compromise. Every time an organisation moves an application or adds in remote users, the security posture breaks. Security thinking needs to change; organisations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access – and the security industry must facilitate that shift.
Contributed by Paul German, CEO, Certes Networks
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.