Not just defensive: Cybersecurity as an enabler for business

Disruption is the ‘new normal’ for businesses globally, from pandemic and trade re-negotiations to cyberwars. 57 per cent of board directors believe an economically and politically polarised society is today’s most significant source of risk, and those points of polarisation – evident each day in the news – directly link to projects on both chief information officer (CIO) and CISO (chief information security officer) agendas. CIOs are working on adding, amending or strengthening logistics workflows, supply chains, commercial and service delivery models, partnerships and geographic footprints. In all these programmes, cybersecurity can be seen as a hurdle – one more challenge to navigate to a successful business outcome, but this attitude is misguided.

Security should be viewed as an enabler to business agility. Traditionally, security has comprised binary access decisions – allow or block. In this way, it has been positioned as a gatekeeper with the power to approve or restrict programmes. Until recently, advances in security have focused on improving the ability to make these binary allow/block decisions. So inevitably, security continued to fail to shake off its reputation as a roadblock to innovation, failing to enable so much as it prohibits. 

Nevertheless, things are now changing. Security is evolving to become “smarter” enabling it to see nuance and context, upon which it can build agility and flexibility. The focus on operational efficiency has not gone away – indeed, significant gains have also been made in that area. Still, the unavoidable disruption that businesses have experienced has finally pushed the security teams to make enablement a primary objective.

Since 2020, security teams worldwide have enabled movements in the workforce on an unprecedented scale. They have supported fast and decisive upheaval in supply chain operations to ensure business continuity. They have facilitated the complete reinvention of go-to-market strategies for organisations whose customer base disappeared overnight. Security teams stepped up, alongside their peers, to be heroes of positive action. So, what changed? Did CISOs and their teams stop saying no on a whim because there was less to be fearful of? Quite the opposite.

The modus operandi
According to Cybersecurity Ventures, a business fell victim to an identified ransomware attack every 11 seconds in 2021, up from 40 seconds in 2016. And the same company predicts that global cybercrime damage will hit $10.5tn annually by 2025. However, the number of attacks is only part of the picture because cybercriminals have changed their modus operandi, using new cloud attack surfaces. They have moved both – their infrastructure and their attack targeting to the cloud.

The cloud is forcing a complete transformation in how security teams architect to protect their organisation. The traditional security architecture concept sees teams building secure perimeters around corporate assets and policing the traffic that comes in and out of that secure area. For many organisations, this ideology still underpins their security strategy, and they continue to invest in hardware appliances and sit them in data centres that no longer actively host users, applications, or data. But in the cloud era, it is becoming increasingly apparent that this approach is not fit for purpose. 

Rethinking security architecture
In 2019, Gartner recommended a new approach to security architectures – secure access service edge (SASE). SASE is a concept of a cloud-based security architecture framework. Making up a large part of the SASE vision is the security service edge (SSE), the fundamental set of security services in SASE. It provides the capabilities necessary for implementing security services to protect remote workers, cloud-based technology, and existing on-premises applications and infrastructure.

So what does this security transformation achieve, and how does it support the CIO’s objectives?
1) When security is cloud-based and data-centric, user and data location are no longer limiting factors. Users and data can be secure, regardless of location or access device.
2) Deep contextual understanding of data types and usage means policies can be designed with more granularity than allow/block. This means security teams can enable more without opening up undue risks.
3) Securing the data, rather than the application, means security visibility does not only include sanctioned applications. As a result, business units can innovate and find productivity gains without constantly wading through time-intensive security authorisations that can take months before an application is allowed to be helpful.
4) Organisations are reporting savings of millions of dollars as they find cost benefits through vendor consolidation and technology management integration, as well as a significant reduction in networking overheads because security is applied in-line, and everything no longer has to route back to appliances in the data centre.

CIOs today are stepping up, using digital transformation to innovate across the entire organisation. However, digital-based opportunity always brings digital-based threats and risks. During this time, CISO is a crucial business partner. The IT estate infrastructure has become almost unrecognisable compared to what it was 10 or 20 years ago, and security is overdue the same shake-up. With the right security architecture – cloud-based, data-centric SSE – security is ideally placed to contribute and enable agile business success

Ilona Simpson is the CIO at Netskope EMEA

Read: Why Thales believes cybersecurity should be seen as a business enabler