Believe it or not, I have actually seen even large and otherwise sophisticated IT departments fail at moving security to the cloud. At first, it doesn’t even compute. The cloud is supposed to be easier. It’s supposed to be more agile. It’s supposed to be better! And it is…mostly. So why are some failing at it before completing their vision of the future?
There are many reasons, but let’s consider just a few of the more common variety:
- Culture: Many IT organizations are still deep in the information security culture of yesteryear. So deep, in fact, that they just…can’t…move…forward. But hey, if there wasn’t such a thing as the status-quo, there wouldn’t be a term for it, right? Where information security is often called “The Department of No”, these organizations impose the very same on themselves. Well, at least they are consistent.
- CapEx vs. OpEx: A few years ago this was a big deal. A very big deal! IT departments had their CapEx budgets and services didn’t fit into them, so IT leadership just took a pass on services. Of course it’s not a problem for most at this point, so cloud security services are now on the menu. BUT…that doesn’t mean that decades of experience by IT leaders who have always grown up with CapEx as the leading purchasing lever are so quick to give it up. Perhaps even subconsciously, this is where many are simply more comfortable. It’s certainly worth considering how decades of programming ourselves in this way might impact our decisions. And its not a stretch to think that this programming would be powerful enough to cause the more risk averse to retreat to their comfort zone.
- Leadership Changes: In this case, the shift to the cloud was lead by a change agent. But that change agent left and in his/her wake a new regime comes in…with the old playbook. It’s truly sad to see real progress rolled back in this way, but it most certainly does happen. Unfortunately, the security models of 5 years ago don’t work all that well in the cloud generation. And they are certainly going to struggle over another 3 to 5 years of CapEx depreciation by buying a bunch of hardware and software. At a personal and professional level, it’s a tough spot to be in: continue on course to the cloud way of doing security, or maintain the status quo? In the end, only the results should speak for themselves.
- Bad Advice: VARs. The “Value Added Resellers” of a bygone era may not being adding any real value year. In fact, they may be offering only negative value, which certainly isn’t good for you or your business aspirations. The reality, though, is that these VARs have their entire business model committed to selling more and more appliances. The cloud doesn’t work for them, so they keep coming in, buying lunches, and doing all they can to convince you that the cloud is a fad. Yeah, tell that to all the VARs who used to be BackOffice or Siebel server experts…if you can find any. That business, as we all know, is now in the direct hands of Office 365 and Salesforce, respectively. No servers needed. It’s time to take the hardware-pushing VARs advice for what it is now worth in the cloud-first generation…virtually nothing.
But the # 1 Reason…is Not Being Agile Enough!
For every action, there is an equal and opposite reaction, right?
If you move to the cloud, boxes go away. And to pick up more agility as part of this move, it requires that the organization is, itself, fully agile, whether they realize it or not.
And that’s the problem. Not every IT organization is fully agile. Many are, in fact, more of a waterfall variety, slowly moving downhill to the path of least resistance. And getting to the cloud — especially cloud security — the right way requires the full vision and execution to be implemented as aggressively as possible.
Bottom line: when the security platform is more agile than their human handlers, it’s almost a sure bet the humans will revert to wherever it is they feel safest. Right or wrong, that’s the conflict that puts oh-so-many into reverse.