Article by Palo Alto Networks EMEA VP and CSO Greg Day
The “by the glass” consumption model, whereby businesses pay for IT resources and services as and when they need them, offers widely accepted financial and operational benefits that promote agility, scalability, and digital transformation.
The model is already working in the cloud and for IT. Leading cloud service providers such as Amazon Web Services (AWS), Microsoft, and Google all now charge by smaller and smaller increments, allowing customers access to services on an as-needed basis. For instance, AWS has been boldly aggressive in formulating its consumption model, actually charging customers for services used by the second. Business leaders should follow suit and challenge their CISOs if they are not adopting cloud as the platform that allows this change in consumption models.
There is no reason we should not be embracing this same idea for cybersecurity – a sector which unfortunately remains largely rooted in a procurement and deployment model that often results in over-provisioning, security silos, and management challenges. Security needs to have the capacity to not only respond in a timely fashion, but also adapt; maximum capacity is not needed at all times. Changing the consumption model from big-hardware investments to a pay-for-what-you-use model is vital.
Aligning stakeholder priorities
It goes without saying that the need for business executives and technical leaders to be on the same page – particularly in terms of priorities for deploying IT resources and services – is important to achieve business goals. However, more and more often, we run into examples where the two camps find themselves staring at a crossroads from two different perspectives.
Analysts have found that 67% of business leaders and board members are pushing CIOs, CISOs, and other technical leaders to evolve their services and approaches faster and more aggressively. Board members have climbed aboard the digital-transformation bandwagon, and they want their organisations to move quicker than their competitors toward that goal.
Research from Palo Alto Networks’ cloud security study which surveyed 500 CISOs in eight countries indicates that most cybersecurity executives believe things might be moving too fast for them to properly assess risks and their implications. Board members and business leaders have fast become big believers in the notion of “disposable IT,” which imposes a smaller footprint on enterprises, while providing greater agility and, potentially, cost savings. Many CISOs, however, are still in a traditional mindset of purchasing multiyear licenses for security, backed up by a lot of testing, risk analysis, and methodical decision-making. Organisations must find ways of spanning the chasm between the “go faster” mandate from the board and the “let’s tame the cyber-risk monster” philosophy of the CISO?
Businesses should pay heavy attention to actual usage patterns of IT and cybersecurity and how security maps to IT services, helping ensure cybersecurity consumption models mirror IT consumption models. For instance, if your IT organisation has adopted say, a DevOps process, your IT usage and availability profile could change every week, every day, or perhaps even every few hours. Security consumption must align with those IT-usage trend lines.
The process can be viewed by imagining a three-legged stool. First, there’s an operational need; second, the developers build the solution to meet that need; and, third, security must be bound to those operational and development cycles. Unfortunately, DevOps—so far—doesn’t typically include this security leg.
Business leaders are demanding real-time adaptation of software to match operational requirements, and security must match that every step of the way. If not, new DevOps scenarios and requirements will have come and gone before the security team can figure out what was needed—yesterday.
Hence, there’s a need to shift from DevOps to DevSecOps, where security is natively part of the DevOps process.
Adopting a pay-as-you-go cybersecurity consumption model enables the agility, responsiveness, scalability, and cost efficiency today’s application-development and deployment cycles require.
Organisations that hesitate moving this way are likely to find themselves over-investing in security capex and not being able to pivot on a dime when new risks emerge. Case in point: I recently meet with a CIO who wanted to transform his company’s data centre, and he told me it took an inordinately long amount of time re-architect, get approval, and roll it out. So much so that he admitted that, today, the centre is already out of date. Getting caught up in monolithic, long-term investments simply doesn’t make sense if you wish to remain competitive in the increasingly digitised markets.
Which brings us back to that tension between the business side and the technical side when it comes to security solutions which can occur when there is a disparity between business executives’ and CISO’s depth of knowledge about cybersecurity.
Moving to a pay-as-you-go model of cybersecurity consumption is a win-win for both the business leaders and the CISO. Both parties are safe in the knowledge that their data, business processes, routes to market, intellectual property, and sources of competitive advantage are protected against cyber threats. Moving to this model affords the business greater digital agility while avoiding over-provisioning, keeping its executives and board members happy. Meanwhile, the model ensures that the organisation is completely protected from cyber threats no matter how fast the organisation’s development. It also prevents the organisation from under-provisioning on cybersecurity, also keeping the CISO happy
If your organisation is going to have disposable IT as its new paradigm for digital transformation, and you intend to align cybersecurity with it, this changing world might leave CISOs feeling pressured to keep pace. But it doesn’t have to be a harrowing experience, especially if there’s a plan to move to a by-the-glass model for security, as well.
Discovering and thwarting breaches before they happen – and doing so against a rapidly evolving and increasingly innovative set of bad actors – can become prohibitively expensive and very manpower-dependent. As noted above, bringing cybersecurity into the mix is that third leg of the stool. Pay-as-you-go security enables agility, reduces costs, and can speed response times (since there is no limit to capacity).