Fighting Against the Current is For Salmon, Not Cybersecurity

Originally published by CXO REvolutionaries

Written by Daniel Ballmer, Senior Transformation Analyst, Zscaler.

It’s easy to lose sight of the big picture when seeking truths in the tech sector. Pick any topic in our industry, and you will discover a rabbit hole that forks repeatedly into equally fascinating subtopics. This is especially true in cybersecurity, where a cursory glance at our space raises countless questions about platforms, endpoints, networks, clouds, etc. Rather than sinking deeper into the mire of endless technical minutiae, let’s take a step back and see if we can glimpse where cybersecurity is headed.

What are you trying to protect?

Often, cybersecurity needs are framed in terms of protecting the organization’s “crown jewels.” This term refers to any information, operations, or infrastructure that is absolutely critical to the running of the business. Usually, organizations are worried about data. They must protect personally identifiable information (PII), the organization’s intellectual property (IP), financial records, credentials, and other proprietary data. This makes data protection a decent metric for discussing and measuring cybersecurity.

Where is data going?

Let’s take a big-picture view of where the world’s data is moving. If you’re dealing with large amounts of business-related data, it’s highly likely you, your vendors, or your partners are using the cloud. This view is reinforced by numerous publicly available sources studying the topic.

Take a quick look:

• Over 50% of enterprises will accelerate their business initiatives by leveraging cloud platforms by 2027.
• Roughly 85% of organizations currently deploy applications on more than one cloud provider.
• Gartner predicts 65.9% of application software spending will be dedicated to cloud technologies by 2025.

In short, cloud adoption has enjoyed a nearly two-decade run, and it continues at a robust pace. Information is increasingly migrating from business offices to the distributed cloud. Data that has moved beyond the castle-and-moat firewalls of legacy networks needs new security measures. It may be tempting to lay this responsibility at the feet of cloud providers, but doing so is highly inadvisable.

Cloud security uses a shared responsibility model that may not be intuitive, and threat actors are quick to exploit any misunderstandings. Enterprise security journal CSO Online said in a recent cloud security report, “About 87% of container images include a high or critical vulnerability, while 90% of granted permissions are not used…” The Cloud Security Alliance recently recapped some significant cloud breaches, citing misconfigurations as a major culprit in facilitating attacks.

How is cloud data protected?

What are organizations doing to protect cloud-resident data? Legacy castle-and-moat network security measures are useless when a business’s data gallops across the drawbridge and over the horizon. Protecting offsite data becomes more complex when employees are also working from multiple remote locations. Fortunately, the zero trust security framework is well-equipped to address the needs of modern organizations. The value of zero trust is apparent when we take a macro view of modern security trends. For example:

• The zero trust security model is replacing other secure connection technologies, such as VPN in 60% of enterprises.
• The zero trust framework is a mandated goal of the U.S. federal government, and is being driven by agencies such as CISA.
• Microsoft reports 76% of organizations have started their zero trust journey, and 96% of security professionals believe it is critical to their organization’s success.

Zero trust, considered critical by security professionals, is mandated for U.S. public institutions and is being adopted by most organizations. These factors show that the rising dominance of cloud architecture and zero trust is not merely marketing hype. It is the boots-on-the-ground reality embraced by businesses today.

Why are businesses adopting cloud services and zero trust? The most apparent explanation is market forces. Migrating apps to the cloud and adopting software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) technology gives businesses a competitive advantage over their peers. They are highly scalable, facilitate access-from-anywhere, and enhance a business’s productivity. Likewise, a well-implemented zero trust framework offers businesses a security and performance edge over their competitors. Much has been written about both advantages, but the bottom line is that efficiency, convenience, and productivity are driving the adoption of the cloud and zero trust.

Digital transformation by degrees

Migrating to the cloud and adopting zero trust (a.k.a. digital transformation) can improve your business operations, but results will depend on the implementation process. Like fine-tuning a race car, some changes are going to yield far greater rewards in a shorter time frame. Wisely choosing when and where to apply each new process is key to maximizing the benefits of digital transformation. Also, as with race cars, those who make the best optimizations will gradually inch ahead of their competition.

Here are a few things to consider when planning your digital transformation:

• Identify a department, infrastructure, or business process where cloud migration and/or zero trust will most likely deliver the best value. Know who will be vital to implementing the change. Develop a plan that clearly defines roles and responsibilities.
• Organizational changes are more manageable with the support of the business culture and other leaders. Set expectations by explaining to leadership how a change will likely impact workers and business processes. Relay how long the change will take, why it is being implemented, and the expected economic and workflow benefits.
• Adopting cloud architecture and zero trust security is a journey, not a sprint. Pursue digital transformation in phases by setting a series of achievable and measurable goals. Take time at each milestone to assess what went well and identify where transformation processes need improvement.

There have been several books written on the topic of zero trust and cloud adoption, that cover these topics in depth. Yet, many technology leaders will overlook these topics, wrongly believing they are one of the millions of available resources promoting a self-serving view on enterprise security. This is why looking at the more significant trends in the industry is essential. The cybersecurity industry is awash with noisy marketing material, but industry trends show where businesses are putting their money. Today’s industry trends are clear – cloud adoption and zero trust are two topics that should be on every organization’s radar.