The Greatest Threat to Cybersecurity? Fear of Change

For modern enterprise IT leaders, protecting corporate resources is an expectation, a mandate, and a cost of doing business. IT leaders oversee their organizations' defense against growing cyberthreats, and the magnitude of that challenge isn't trivial. (As a point of reference, the Zscaler cloud must deter more than 100 million attacks each day.)

Cyberattacks are nasty, but can be repelled. Corporate peace of mind is imperiled by something more ominous...something IT leaders often hesitate to acknowledge. The biggest cybersecurity threat in the world right now isn't foreign government-sponsored DDOS orchestration, the latest ransomware strain, or even the most menacing threat actor. With apologies to FDR, the only thing enterprise IT leaders have to fear isn't fear itself, but their own reluctance to change.

Hub-and-spoke: Disconnected From the Way We Work

Enterprise IT remains inexorably loyal to legacy hub-and-spoke network architectures and associated hardware-appliance-based security. Hub-and-spoke was designed 40+ years ago for a pre-internet, closed-network environment. In an age of remote access, cloud applications, and BYOD, the legacy architecture breaks down. The way of work has changed, but the network security model has not: Remote users log on from coffee houses, access resources in the cloud, and demand near-Netflix-like performance. But they endure hub-and-spoke backhauling, VPNs, and network lag, and if it's inconvenient to get on the corporate network, they bypass it and go directly to the cloud.

A big part of the problem is the legacy network design itself. Hub-and-spoke LAN/WAN architectures present an enticingly-large attack surface to bad actors, putting at risk all the riches of the metaphorical corporate castle to successful intruders. The notion that a castle-and-moat security approach can somehow secure the entire network -- including internet and cloud access -- is not just outdated, but dangerous.

Castle-and-Moat: Trying to Dam a Waterfall from the Bottom Up

Faced with this metaphorical disconnect between the way employees work and the way IT secures the castle, many IT leaders -- with the best of intentions, mind you -- double-down on hardware investment. Threats loom, so they add more firewall security to a linear remote gateway, slowing performance further. (Some virtualize those gateways in the cloud, but do little more than move the bottleneck from their own data center to AWS'.) Do they need to defend against new threats? Do they need more bandwidth? They throw more boxes at the problem. It's an expensive, unscalable, reactive approach that is ultimately self-defeating. Trying to combat future cyberthreats with hardware-appliance-based security is like trying to dam a waterfall from the bottom up.

Direct-to-Cloud Connectivity: Secure, Efficient, and Netflix-Fast

Direct-to-cloud connectivity offers a secure alternative. Users connect directly to applications (including internally-developed ones) in the cloud, bypassing (and supplanting the need for) the corporate network. Security is delivered inline, bidirectionally, close to the user, and via globally-distributed multitenant edge computing: Nothing bad gets in, nothing bad goes out. Policy-based security is at user level: Risk is isolated to individual, ephemeral cloud-access instances.

Without network hardware, appliance maintenance, or VPN expenses, direct-to-cloud is cheaper. Without MPLS backhauling, gateway bottlenecking, or bandwidth constraints, direct-to-cloud is faster. Without east-west risk, attack surface, or inspection-sampling, direct-to-cloud is more secure.

Meanwhile, cybersecurity attacks grow more frequent, more complex, more virulent, more sophisticated, and, frighteningly, more coordinated. (My colleague Stan Lowe recently wrote about it in Forbes.) Yet many IT stakeholders continue to pin their hopes on hardware-appliance-based security solutions, despite indisputable, growing evidence of their fallibility. If you could replace your expensive, slow, and unsecurable legacy network architecture with faster, more efficient, and more-secure direct-to-cloud connectivity, why wouldn't you?

If only that were a rhetorical question. Several factors contribute to institutional inertia to migrate to the cloud from legacy security models:

• Change is hard. Ever tried to migrate from one ERP system to another? Enterprise technology -- especially hardware-based security solutions -- carries intentionally-built-in switching costs. This is especially difficult when the technology determines corporate workflows (and a big reason why consulting firms develop change-management practices).
• It's what they know. How do you sunset a technology if your team is certified on it? In cloud transformation, "before" IT skillsets don't always align with the ideal "after." But the sunk costs of existing certifications should preclude doing the right thing for the sake of corporate security. ("We've always done it this way" is music to threat actors' ears.) With a little retraining, IT stakeholders can shift from firefighting to proactive, value-adding leadership.
• Control is hard to relinquish. With hardware-based security, it's a tactile comfort to know the firewall is on a rack down the hall. Moving to cloud can seem like letting go of control. But it's not: IT leaders have more control with a user-level, policy-based cloud security model than with a secure-the-entire-network hardware approach.

When network-hardware-appliance myopia blinds IT leaders to better security, companies become less able to defend against threats, and the bad guys win. We have a responsibility to take arms against a sea of cybersecurity troubles, and by opposing, end them. We must embrace change...and be willing to migrate from ineffective, performance-degrading, vulnerable hardware-based security to secure, efficient, and fast direct-to-cloud connectivity.