Cybersecurity professionals are paid to be paranoid and tend to want to control everything they can to minimize surprises or third-party dependencies This has always been the case with regards to security technology. Historically, CISOs mistrusted managed services, preferring instead to “own” the deployment and operations associated with their security technologies.
While cultural attitudes toward security control remain today, demand- and supply-side changes are influencing new security technology decisions.
On the demand-side, CISOs are coping with a global cybersecurity skills shortage. According to research from ESG and the Information Systems Security Association (ISSA), the skills shortage has an impact on around 70% of organizations, increasing the workload on security teams and forcing them to focus the bulk of their attention on high priority alerts only. This means that while CISOs may want to “own” everything, they don’t have the resources to do so.
On the supply-side, vendors like CrowdStrike, Proofpoint, and Zscaler tend to eschew on-premises offerings, opting instead for cloud-based SaaS security technologies. Other security technology vendors have quickly followed suit. This means that innovation and flexible solutions are migrating to the cloud.
Given these market dynamics, ESG wondered how security technology procurement and operations attitudes are changing (if at all). As part of a recent survey of 232 IT and cybersecurity professionals, ESG asked survey respondents whether their organization prefers on-premises security technologies or cloud-based security technologies, or if they consider both options and then decide on a case-by-case basis.
The resulting data demonstrates that security professionals’ attitudes are evolving: 42% consider on-premises and cloud-based security technologies and then decide on a case-by-case basis, 31% prefer on-premises security technologies, and 26% prefer cloud-based security technologies. Some quick addition demonstrates that 68% of organizations are open to or prefer cloud-based security solutions.
Okay, so why do nearly one-third of organizations hang onto on-premises security technologies so tightly? Not surprisingly, 40% say that they prefer to control all aspects of security technology themselves, 37% believe that their organization can deploy and operate on-premises security technologies better than cloud-based alternatives, and 33% admit that they don’t want to store sensitive data in the cloud. It’s still all about control.
How about those that prefer cloud-based security technologies? Well, 36% say that cloud-based alternatives eliminate the time and resources needed to provision onsite resources like servers and storage, 34% claim that cloud-based alternatives are constantly updated, eliminating the need for product upgrades, and 33% believe that cloud-based security technologies can accelerate deployment time and time to value. It’s all about flexibility and operational efficiency.
IMHO, there is no right or wrong answer here and security technology choices will be governed by company culture, industry, resources, regulations, etc. Nevertheless, it’s important that security professionals realize that more and more technologies, security or otherwise, will be delivered as SaaS-based services. Like it or not, this will impact where innovation and potentially ROI benefits will come from.
To me, security solution decisions should be based upon how well the solution meets your requirements (i.e., security requirements, business requirements, financial requirements, etc.) and not on form factor. Therefore, the 42% willing to consider on-premises and cloud-based solutions and then decide on a case-by-case basis have the right model.