At the monumental intersection of digital transformation, an industry-wide focus on SASE, and the continuing effects of COVID-19 on the way workforces function, we have never experienced such a seismic shift in all facets of business over such a short period of time. Today we see this transformation driving changes to corporate culture, business processes, and technology at such a rapid pace, our current security strategy cannot keep up.
Unlike past evolutions that were driven entirely by advances in technology, this change is driven by the digital transformation of businesses and the way workforces operate. The ongoing rapid deployment of cloud has given organizations a low-cost option for implementing significant processing power. Plus, workforces now demand the ability to work from anywhere; more than 90% of devices sold today are mobile, and those devices are being used to access business systems off-premises more than 50% of the time.
The digitalization of business processes has also driven the use of thousands of outsourced business applications. The typical enterprise has, on average, more than 1,200 SaaS applications in use, far exceeding the number of on-premises applications. This explosion in the amount of data and the number of locations it exists in has significantly increased the attack surface.
What’s more, the use of SaaS business applications has also drastically changed the volume and nature of network traffic. In the past, most internet traffic was accessing static information sites, but now more than 50% of internet traffic related to SaaS and cloud apps contains business-essential information. This shift in network traffic has resulted in a network inversion, diverting traffic away from on-premises security appliances in the data center and directly to the cloud. Change has happened.
Re-evaluating Your Strategy
At Netskope, we are leading the way for implementing the increasingly popular SASE framework for cloud security and networking, and have been described by Gartner as being further along in SASE than any other vendor. We have the opportunity to talk with CISOs worldwide on a daily basis and most agree that, even as security practitioners for decades, we’ve experienced major shifts, but never at the pace we see today. That’s intimidating. But it’s also the most exciting opportunity many of us have ever been part of.
Now is the time to reevaluate your security strategy, and that starts with understanding—and creating a next-phase plan for—seven forces that are shaping security transformation.
(Please access your complimentary copy of our recent white paper, “The 7 Forces Shaping Security Transformation,” for a deeper dive into each of these and recommendations you can action with your teams today.)
Business Strategy: Most successful business organizations have concluded that access to timely operations information results in higher-performing companies. Data analytics have become the lifeblood of the company, and access to the data needs to be available from anywhere at all times. As a result, successful CISOs need to enable the business to access the data and perform their jobs without the impediment of the individual user or application’s location. Each company differs, but all successful companies are maximizing their potential by using new SaaS-based applications and learning to treat security as a business accelerator. The most successful CISOs have transitioned from a “No, you can’t,” to a “Yes we can, and here’s how” mindset. Safely allowing users access to all relevant data, all the time, empowers the enterprise to secure its most competitive asset—its data—and thus gain an edge in the race to answer the most pressing business questions.
Information Technology Operations: Complexity is the enemy of security and we have made our security architecture too complex. Over the years we have seen a compounding effect of adding layers of security, especially at the endpoint. Unless you have done a recent cleanup, you will find the endpoint has numerous client security applications, all performing similar and/or overlapping controls. It is time to take a fresh look at what is running in the environment and consolidate and simplify the architecture. Moving toward best-of-breed platforms that provide integrated and seamless functionality will simplify your environment and lower your operational costs.
Risk Management and Risk Reporting: Changing business models are forcing a change in the way organizations handle their risk management. Business digitization processes are too dynamic and evolve too quickly for traditional risk management. The ability for business units to independently subscribe to a new cloud service presents a significant risk to the overall organization. Processes to discover, monitor, and control new business cloud services need to be implemented to understand and mitigate acceptable risk. In addition, risk must be reported across the business in a decentralized manner, ensuring that risk and data owners are aware of the effectiveness of the controls and countermeasures that have been applied.
Organizational Culture: Organizational culture can have a significant impact on the security program, and most boards are now requiring, at minimum, an annual report to the full board and a quarterly report to the audit subcommittee of the board. But the most significant change we have seen in changing organizational cultures is the rise of the remote worker amid the COVID-19 pandemic. Pandemic planning aside, most workers will already choose their employer and ask questions at the interview stage on this flexibility to ensure they have the best work-life balance. The next-generation workforce will demand it. As organizations reimagine their strategies, understanding the mobilization of the workforce will be critical. The mentality of work from anywhere, at any time, from any device, accessing any application, and sharing any information is supportive of this cultural change. This shift away from the traditional office is evident in most industry sectors today.
Adversaries and Threats: An important strategy, control, and measurement should always be to reduce attack surface and dwell time. (Dwell time can be measured as the duration a threat actor has undetected access to a network, system, application, device, etc. until access is identified and removed.) Measurements for dwell time must extend to cloud applications and web services to further protect these environments from a confidentiality and data integrity perspective. Not identifying a threat actor with access to an organization’s IaaS platform or data lake will cause a significant impact to the organization. Insider threats, both inadvertent and intentional, also remain pervasive. The insider threat is going to continue and will only grow in frequency and difficulty to detect, due to the mobilization of the workforce.
Government and Industry Regulations: Across the globe, countries and unions have applied aggressive mandates to control and protect data in and out of the country. The complexity of the rules in place continues to impact both global data protection and security teams that need visibility and control over their network and systems and not run afoul of these laws. For many of these laws, there is no simple answer as rules and guidelines continue to be developed to best support the government’s intentions to support both their economy and their trade arrangements. Recommendations to best manage these regulatory minefields include mapping the organizational data flows to truly understand where your organization may need to deal with these issues before they negatively impact the organization. Understanding where employees connect to and from cloud services, as an example, will help with maintaining a cross-border inventory of the locations that may need additional control and/or analysis. Sharing this information will provide greater visibility across the whole organization and can help support legal, risk, and audit teams in their understanding of the requirements. Building a strong coalition alongside the security team that factors into the location variable that cloud computing brings is a good first step to manage these forces.
Global Social and Economic Forces: By 2024, investments in cloud security will shift from the current ~20% of the budget to over ~60% of the security budget. Major investments will be moving away from on-premises appliance-based secure web gateways (SWG) to software-based Next-Generation SWGs that combine the functionality of data leakage prevention (DLP), web security, and cloud access security broker (CASB) into one platform. When implemented inline, the technologies can monitor and protect the information flowing to and from all critical business systems. It’s important to remember that global events will impact the security strategy in unforeseen ways. The COVID-19 virus made almost every extant business continuity plan obsolete. The gig economy, trade wars, and national conflicts are all additional examples of global events or trends with the power to reshape budgets and priorities.
Having an agile security strategy requires that you consider changes in each of these forces and adjust your strategy accordingly.
At the very least, you should:
- Be able to obtain and retain visibility into your risk levels, cloud services being used, attack surface, and movement of data across the cloud services;
- Expect to continue seeing shifts in the attacks from cyber adversaries, and in turn, be able to monitor the threat reports and adjust your security strategy and controls accordingly;
- Evaluate your security strategy and make changes now. Continuing to invest in appliance-based, on-premises controls will leave you lacking visibility and impact the workforce experience, as you wait for these investments to fully depreciate. During your next cycle, look at cloud-based, microservice-based systems that can easily upgrade as threats and solutions evolve.
Without using the seven forces to create a strategy, your organization will likely default to using a compliance-driven approach to define its security program, which has already proven ineffective for protecting organizations’ key information assets.
Far too few enterprise-level organizations have been given the kind of opportunity we’re seeing now to create a security strategy in the face of evolving threats and an ever-changing world. Break the mold from cookie-cutter approaches with your security strategy and use all seven of these forces to transform your security strategy for the better in the SASE-enabled, next generation of cloud security.
 Netskope research
 Cowen Group, Evolution of Security Creates Opportunity, May 2019