By: Sundaram Lakshmanan, CTO at Lookout
Lately, the region’s business community has returned to familiar ground. Unfortunately, it is not comforting green pastures. It is more of a wild thicket. We are back to doing more with less. We did it in the wake of the 2008 financial crisis. And following a domino-topple of epic proportions – the COVID pandemic, the worldwide economic downturn, supply-chain collapse, another oil crisis, and record inflation – here we are again.
As executives return to their corners to pore over strategy documents, their ruminations ultimately lead to a simple question: “How do I optimise operations while minimising costs to prop up the bottom line?” Every program, digital or other, is either a cost or a benefit to the business. And costs fall into one of two categories: necessary or frivolous.
After the move to the cloud – doubtless initially put in the “necessary cost” basket – businesses were faced with another cost that they must take care not to mislabel. The complexity of IT architectures, and the rampant rise of shadow IT in the homes of remote-working employees calls for an urgent rethink of cybersecurity. Unfortunately, cybersecurity is still seen as a cost by many of the region’s senior executives. But fortunately, they have come around to place it in the “necessary” bracket where it belongs.
Investment ahead?
A PwC report showed 43% of Middle East organisations expected a rise in the number of reportable incidents for this year; and aligned with this, 58% foresaw a rise in cybersecurity investment with 31% predicting spending jumps of 10% or more. All of these figures were greater than those for 2021. But this still leaves 42% who do not predict a spending rise. Perhaps these are organisations that believe, rightly or wrongly, that they have enough protection. Or perhaps these are companies that see cybersecurity as a frivolous cost that hinders operations and productivity. These are the organisations in which the CISO must constantly justify budgets and programs and often get turned down.
This reputation is not entirely unfounded. Because everyone used to be bound to the office, security professionals became accustomed to procuring on a right-tool-for-the-job basis. This not only led to siloed information but was a drain on human resources as the operation of these tools took up most of the time of the IT or security team that used them. And these teams would either have to be permanently onsite or, if remote, using virtual private networks, which deliver less-than-optimal network connections. Such rigidity is at odds with the priorities of the modern employee, among which flexibility ranks high.
Wouldn’t it be great to find our way to a cybersecurity model that frees organisations from trading their defense posture off against productivity? Well, how about this? What if security could be an enabler of productivity and actually boost the bottom line? It can be if organisations start thinking about their security operations in a converged manner and taking advantage of the very cloud-native platforms that they may initially have thought of as necessary costs.
The road to culture change
Make no mistake, there is an investment involved. And the CISO will have to propose a culture change that gets line-of-business executives thinking about security as a long-term adder of value. In return, implementing cloud security will revolutionise the cost model. It will become more predictable, converted, as it will be, into an OPEX budget. SaaS security tools can do the same for the SOC as it did for IT, by making operations less labour-intensive, especially if the enterprise deploys solutions from a single platform, which cuts down on the time and costs associated with software integration. Teams are empowered. There will be no more running between consoles to try to make sense of threat signals. Monitoring and policy implementation can be done from a single chair.
Business and security executives will recognise the hard road ahead for a culture change like this. They will have poured investment into tools that they now must rip out and replace. They must train technical and non-technical staff anew having already done so on legacy systems. And they must spend time on new customisation, again having already done so with legacy infrastructure.
For example, security staff and data managers may have spent years on optimising an on-premises DLP tool to identify and classify data to perfection, only to have that tool decommissioned in favor of one they must now train to use. But migrating to cloud solutions means policy enforcement can live in the cloud in co-operation with legacy investments.
Frivolous cost vs business benefit
In the world of hybrid work, many ideas have become outdated. Traditional security tools are among them. So is the very nature of employee productivity. The old tools are a drain on resources and do not enable employees to work how they want. One might then say that legacy tools have become a frivolous cost.
Conversely, centralised cloud-delivered security delivers a better view of the infrastructure with the right access to the right data telemetry at the right time, along with all the enforcement capabilities needed to effectively protect the digital estate. So, cloud-native security creates value. A business benefit, no?
We must stop thinking about security as a mere insurance policy against theoretical incursions. Otherwise, CISOs will never be able to demonstrate investment value to the board the way they can if we consider the way the modern employee demands to work and the no-going-back realities of today’s IT stacks. Once we consider the times in which we live, the status quo is revealed as a stale relic; and cloud-native security – especially as a single-platform implementation – emerges as the obvious successor. It breaks down silos, streamlines operations, and provides the kind of visibility that enables teams to beat back the cyber menace. You know… benefit stuff.
