Categories
The Business Value of Proactive Automated Cloud Security
June 1, 2017The WannaCry attack in mid-May showed us all a few things:
- Organizations focus on the minimum IT assets and security controls needed to continue business operations
- Because of that, organizations are slow to implement much-needed security controls (like the Microsoft SMB server patch)
- And then when incidents like WannaCry happen, organizations scramble to control the damage and can end up breaking business continuity through losses in time, money, and credibility
These points are reflective of security practices that rely primarily on reactive measures. Our post on why proactivity and automation are cloud security essentials, along with the WannaCry incident, show us why we can’t afford to focus mostly on reactive measures anymore. And remember, the WannaCry incident is just the latest in a long list of similar security issues that have come up over the past few years.
When incidents like this happen, we’re forced to realize that a focus on reactive measures is caused by viewing security as an afterthought rather than an ongoing business process. So we’re prompted to ask:
- Why aren’t we truly aligning our security initiatives with our business goals?
- What is the business value of the alternative (and, in our opinion, better) practice of proactive and automated security?
In answer to the first question, you might say that it takes time to implement security controls like patches and to create ongoing processes for secure operations. So, you choose to implement the bare minimum in order to control costs and avoid disrupting business operations too much. We don’t disagree. But our point is that it’s worth it, from both a business and security standpoint, to invest in rigorous, ongoing security before an incident happens. And if done right, proactive practices will actually save your organization time and money. Some processes, such as DevSecOps, already reflect this mindset.
Let’s view this argument in another light: cloud adoption. Organizations are moving to the cloud to take advantage of its flexibility, scalability, and agility, which create this business value:
- Faster time to market
- Lower and predictable costs (in theory)
- Flexible services for employees and customers
However, organizations commonly believe that their cloud service provider is responsible for security, while the reality is that cloud security is a shared responsibility between the CSP and the customer. This misconception can lead to improper cloud usage (e.g. shadow IT) and lack of security automation, incurring high costs and labor time around security and slowing down business operations. Organizations may thus believe that there is a tradeoff between business agility/continuity and comprehensive security. With this mindset, it’s tempting to forego proactive security practices in exchange for business agility and continuity on the cloud.
But what most organizations don’t account for is the very real possibility of broken business continuity due to a security incident. When planning resource allocation, organizations may be sure account for normal IT operations and minimum security operations, but often don’t take into account the resources needed to handle security incidents. Even if organizations have disaster recovery plans, they cannot simply accept the cost of incidents anymore because their attack surface on the cloud is much bigger than it was in traditional IT environments. A bigger attack surface leads to much higher risk exposure, meaning that if you’re not comprehensively managing security, a breach is a question of “when” not “if” (WannaCry shows us that anyone can be impacted).
Instead of hoping that a security incident doesn’t happen to you, or allocating resources just for incident response, you can be proactive in drastically reducing your attack surface and cutting down your security expenses. Cloud security necessitates proactive and automated security practices (we recommend reading this article for an explanation of why proactivity and automation are cloud security essentials).
At Cloud Raxak, in close collaboration with our customers and strategic partners, we have developed a model that translates the risk exposure of your cloud environment to potential loss in dollar amounts from both ongoing risk and damage from incidents (we will expand on this topic in future articles). But the model mainly shows that you can use proactive automated security to:
- Drastically reduce the time, money, and labor involved in comprehensively managing cloud security
- Truly align your security initiatives with your business goals
Based on this, we come to answering the second question: what is the business value of proactive automated cloud security? Here are a few points:
- Faster time to market
- Lower and predictable costs (in reality)
- Flexible services for employees and customers
- Ensured business agility and continuity both normally and in times of attack
- Continuous and consistent protection of data, employees, and customers
- Increased credibility and deepened trust with customers
- More time and money to put towards achieving business goals
Proactive automated security allows you to time- and cost-effectively view security as an integral ongoing business process, not just an afterthought. With this mindset, you can eliminate the tradeoff between comprehensive security and business agility/continuity. You can actually use proactive automated security to enable business continuity, since proactive automated security aligns your security initiatives with your business goals. Instead of inhibiting your business (like many manual or reactive security practices), proactive security actually enables your business by continuously and consistently ensuring the protection of your activity and data. When you align your security posture with your business objectives, you are truly protecting the core entities of your business: your employees, customers, and data.