May 17, 2020

It’s time for a change to cybersecurity consumption

Palo Alto Networks
Greg Day
6 min
Widespread adoption of the cloud has made business executives and board members comfortable with the idea of paying for IT resources and services “by...

Widespread adoption of the cloud has made business executives and board members comfortable with the idea of paying for IT resources and services “by the glass.” Moving to such a consumption model offers widely accepted financial and operational benefits that promote agility, scalability, and digital transformation.

Leading cloud service providers such as Amazon Web Services (AWS), Microsoft, and Google all now charge by smaller and smaller increments, allowing customers access to services on an as-needed basis. For instance, AWS has been boldly aggressive in formulating its consumption model, actually charging customers for services used by the second. Business leaders should follow suit and challenge their CISOs if they are not adopting cloud as the platform that allows this change in consumption models. Moving from a monolithic, capex-based, high investment to an on-demand, pay-as-you-go model with infinite capacity is clearly the way of the future, as digital agility is increasingly seen as a key business advantage.

Cybersecurity, however, unfortunately remains largely rooted in a procurement and deployment model that often results in over-provisioning, security silos, and management challenges. The critical point here is that security needs to have the capacity to not only respond in a timely fashion, but also adapt; maximum capacity is not needed at all times. This change in consumption—moving from big-hardware investments to a pay-for-what-you-use model—is key.

Bridging the divide

We all talk a lot about the need for business executives and technical leaders to be on the same page in terms of priorities for deploying IT resources and services to achieve important business goals. But, more and more often, we run into examples where the two camps find themselves staring at a crossroads from two different perspectives.

At a recent analysts’ conference that I attended, I heard that 67% of business leaders and board members are pushing CIOs, CISOs, and other technical leaders—hard—to evolve their services and approaches faster and more aggressively. Board members have climbed aboard the digital-transformation bandwagon, and they want their organisations to move quicker than their competitors toward that goal.

But other research among CISOs indicates that most cybersecurity executives believe things might be moving too fast for them to properly assess risks and their implications. For security, that means business leaders want to deploy not only applications in the cloud, but also vital IT services, such as security, to avail themselves all of cloud’s benefits. Board members and business leaders have fast become big believers in the notion of “disposable IT,” which imposes a smaller footprint on enterprises, while providing greater agility and, potentially, cost savings. Many CISOs, however, are still in a traditional mindset of purchasing multiyear licenses for security, backed up by a lot of testing, risk analysis, and methodical decision-making.

How should organisations span the chasm between the “go faster” mandate from the board and the “let’s tame the cyber-risk monster” philosophy of the CISO?

See also:

The consumption model for security

Cybersecurity consumption models must mirror IT consumption models, with heavy attention to actual usage patterns and how security maps to IT services. For instance, if your IT organisation has adopted say, a DevOps process, your IT usage and availability profile could change every week, every day, or perhaps even every few hours. Security consumption must align with those IT-usage trend lines.

It’s helpful to view this process as a three-legged stool. First, there’s an operational need; second, the developers build the solution to meet that need; and, third, security must be bound to those operational and development cycles. Unfortunately, DevOps—so far—doesn’t typically include this security leg. Research indicates that about 80% of organisations are embracing DevOps, but far less have made the transition to DevSecOps.

DevOps cycles move faster and faster each day. Business leaders are demanding real-time adaptation of software to match operational requirements, and security must match that every step of the way. If not, new DevOps scenarios and requirements will have come and gone before the security team can figure out what was needed—yesterday.  Hence, there’s a need to shift from DevOps to DevSecOps, where security is natively part of the DevOps process.

If your CISO isn’t able to be an equal part of this DevOps process, then he or she is going to need to prepare a really good explanation to the C-suite executive team and the board. The reality is the business will simply continue without their support.

You can never be too agile

Adopting a pay-as-you-go cybersecurity consumption model enables the agility, responsiveness, scalability, and cost efficiency today’s application-development and deployment cycles require. Organisations that hesitate moving this way are likely to find themselves over-investing in security capex and not being able to pivot on a dime when new risks emerge.

Case in point: I recently meet with a CIO who wanted to transform his company’s data centre, and he told me it took an inordinately long amount of time re-architect, get approval, and roll it out. So much so that he admitted that, today, the centre is already out of date. Getting caught up in monolithic, long-term investments simply doesn’t make sense if you wish to remain competitive in the increasingly digitized markets.

Which brings us back to that tension between the business side and the technical side when it comes to security solutions. Most business executives acknowledge that they lack in-depth technical chops in cybersecurity, so they tend to rely on their CISO for strategy and operations. But they do know this: They want to their data, their business processes, routes to market, their intellectual property, and their sources of competitive advantage to be protected against cyber threats. The CISOs, of course, want all this, too—but they often want it to be the result of a Rolls-Royce solution. The business leaders typically think that this is simply overspending and can take too long to implement.

The new agile consumption model allows organisations to create state-of-the-art, scalable, and affordable cybersecurity that aligns with digital transformation goals and the crucial need for more agility.

A changing world

If your organisation is going to have disposable IT as its new paradigm for digital transformation, and you intend to align cybersecurity with it, this changing world might leave CISOs feeling pressured to keep pace. But it doesn’t have to be a harrowing experience, especially if there’s a plan to move to a by-the-glass model for security, as well.

Remember: The goal is to discover and thwart breaches before they happen, and doing so against a rapidly evolving and increasingly innovative set of bad actors can become prohibitively expensive and very manpower-dependent. As noted above, bringing cybersecurity into the mix is that third leg of the stool. Pay-as-you-go security enables agility, reduces costs, and can speed response times (since there is no limit to capacity). The value of such a consumption model is clearly working in the cloud and for IT, and there is no reason we should not be embracing this same idea for cybersecurity.

End points

  • A change in security consumption—moving from big-hardware investments to a pay-for-what-you-use model—is key.
  • With this model, there’s a need to shift from DevOps to DevSecOps, where security is natively part of the DevOps process.
  • Pay-as-you-go security enables agility, reduces costs, and can speed response times (since there is no limit to capacity).

Greg Day, Vice President and Regional Chief Security Officer, EMEA at Palo Alto Networks

Share article

Jun 4, 2021

Logi Analytics Webinar: Meet the speaker

2 min
Join Technology Magazine and Logi Analytics for this exclusive webinar as we explore the revolutionary power of next-generation embedded analytics

Data allows business owners to leverage digital insights and embrace the power of data-driven business intelligence to make more informed decisions that are better for business growth and evolution. By using data to drive its actions, an organisation can contextualise and/or personalise its messaging to its prospects and customers for a more customer-centric approach.

BizClik Media Group and Logi Analytics invite you to explore next-gen embedded analytics in our live webinar. There’s still time to sign up for the event entitled ‘Application Imperative: How Next-Gen Embedded Analytics Power Data-Driven Action’, which is taking place on 10 June at 4 pm BST.

The webinar will be led by Constellation Research’s Principal Analyst, Doug Henschen, who focuses on data-driven decision-making. Henschen’s Data-to-Decisions research examines how organisations employ data analysis to reimagine their business models and gain a deeper understanding of their customers.

Henschen's research acknowledges that innovative data analysis applications require a multi-disciplinary approach starting with information and orchestration technologies, continuing through business intelligence, data visualisation, and analytics, and moving into NoSQL and big-data analysis, third-party data enrichment, and decision-management technologies.

Constellation Research is a technology research and advisory firm based in Silicon Valley. Prior to joining Constellation, Doug Henschen led analytics, big data, business intelligence, optimisation, smart applications research, and news coverage at InformationWeek.

What will the webinar cover?

This exclusive webinar will explain next-gen embedding capabilities that will enable your company to:

  • Eliminate unproductive toggling between transactional interfaces and purely analytic dashboards
  • Drive two-way interactions between app features and embedded analytics to drive data-driven action
  • The compounding impact of embedded analytics on your overall ROI
  • Harness analytics as triggers for automated workflows and suggested next-best actions
  • Enable developers to build quickly without coding while customising self-service options for end users

Logi Analytics is the only developer-grade analytics solutions provider focused exclusively on embedding analytics in commercial and enterprise applications, empowering the world’s software teams with the most intuitive data analytics solutions and a team of dedicated professionals invested in your company’s success.

Why not sign up today to find out exactly how Logi Analytics can revolutionise your data analytics game?

We look forward to seeing you there!

Share article