Why the cloud is the new rainmaker for cybersecurity
The shift to the cloud has brought big cybersecurity challenges along with it. Image: Getty Images/iStockphoto
Listen to the article
- The growth in cloud-based platforms and apps has caused a shift in cybersecurity.
- Customers are no longer in full charge of their own cybersecurity.
- Software developers exert far more influence in cybersecurity decision-making in this new cloud world.
With the advent of remote work, companies – including those in legacy industries – have been forced to adopt SaaS (software as a service) and cloud tools to stay competitive and agile. Modern, cloud-based platforms like Zoom, Slack, Salesforce have become critical to enable knowledge workers to collaborate efficiently from their homes. As beneficiaries of this tailwind, public cloud hosting providers like AWS, Microsoft Azure and Google Cloud have seen phenomenal success. According to Gartner, the spend on cloud providers is forecasted to increase to $178 billion in 2022 from $141 billion in 2021.
But while public cloud providers have made it easy to use modern software tools, the shift to the cloud has led to big cybersecurity challenges. Cybersecurity for the cloud-first world is a paradigm shift from traditional, on-premise security. In the previous situation, customers hosted their applications in their own data centres and had full control of their environments and security. Customers operated in a “walled castle” – where the network and applications were secured and controlled by them.
However, when customers adopt public cloud providers, security is a shared responsibility model between them and the cloud providers. For example, if a customer stores data in the AWS data centre, the customer has to configure and manage their own cybersecurity policies. Despite not having full control of data in the AWS data centre, security breaches are still the customer’s responsibility. In this regard, customers adopting public clouds are no longer in full control of their own security. Security concerns are often one of the top barriers to cloud adoption.
Moreover, cloud environments are more complex to secure. Modern cloud customers often employ an architecture called microservices, in which each component of an application (e.g. search bar, recommendation page, billing page) is built independently of each other. There could be up to 10x more workloads (e.g. virtual machines, servers, containers) and microservices in the cloud than on-premise. This increased fragmentation and complexity leads to access control issues and increases the probability of errors – for example, if a developer leaves a sensitive password in an AWS database that can be exposed to the outside world. Simply put, the attack surface area is larger and more complex in the cloud.
Cybersecurity for the cloud-first world
Outside of product complexities, the shift to the cloud has led to an inversion from a top-down to a bottom-up sales pattern, where security buying decisions are made by developers, not CISOs (Chief Information and Security Officers).
This has occurred for two reasons. First, cloud has enabled increased application development velocity and as a result, cybersecurity is moving from an afterthought to becoming a critical component of developer workflows. Traditionally, developers were responsible for writing code and product releases, and the CISO’s team was responsible for cybersecurity. There was a clear bifurcation in responsibilities. Today however, developers at modern companies ship new code and product releases every day or every week because cloud has made it much easier to do so. We are now used to our favorite apps (e.g. Netflix, Amazon, Uber) updating themselves frequently for new updates, but this was not the norm in the old days. With the increased frequency of deploying new code, cybersecurity has become a problem that developers now have to care about, because of the increased frequency of application development.
Second, the early adopters and power users of cloud are modern start-ups and mid-market customers, where buying decisions are more decentralized. Traditionally, security decisions at large enterprises were made by CISOs. Such sales processes involved lengthy proof of concepts and negotiations, and the CISO made the buying decision for the rest of the organization. Start-ups and mid-market customers, meanwhile, often give their developer teams the autonomy to make security buying decisions directly. For example, in one of the customer councils I attended, a CISO at a fast-growing fintech start-up admitted that his developers had full autonomy to choose which security products to buy.
This new bottoms-up sales model fundamentally disrupts how cybersecurity software gets built and sold. Selling to developers is a different model than selling to the CISO. Developers prefer self-serve features – they often like to try and experiment with products before buying them. This requires a product-led sales model – building self-serve and freemium capabilities and attracting a large inbound, top-of-funnel of free users. This new sales model is completely different to the how traditional security incumbents operate, which rely on a sales-led model – hiring big sales teams who sell large deals to CISOs in an outbound fashion.
How is the Forum tackling global cybersecurity challenges?
Traditional security incumbents such as Palo Alto Networks, Cisco, Fortinet, Checkpoint were created when on-premise-centric architectures were common. Their products do not scale for the cloud-native architecture, and their sales teams have not adapted to new product-led sales motion. The shift to the cloud has created new opportunities for start-ups to disrupt the security industry entirely. Large security incumbents like Palo Alto, Checkpoint, Fortinet alone have a combined market cap of over $100 billion. Cloud security is going to be a much bigger market. It’s exciting to watch the change of guard.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
The New Data Economy
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.
More on CybersecuritySee all
Sean Doyle and Natalia Umansky
November 26, 2024