Every organization, whether it’s using on-prem, public cloud, or hybrid cloud architecture, needs a suitable security solution. Choosing the right cloud security solution is a challenge for every enterprise. You need a unified security system that is powerful enough to protect your entire infrastructure, interacts successfully with your existing legacy server-based security tools and gives you the capabilities and the confidence to scale further.
Consensus is growing that the most powerful and flexible cloud security solutions are those that use micro-segmentation to provide complete network security. The basics of micro-segmentation are built into the cloud through security groups, which are integrated into every cloud offering, albeit with limited functionality. Unleashing the full potential of micro-segmentation beyond layers three and four of the OSI model, and using application-aware micro-segmentation, would yield the highest possible security benefits. It’s generally assumed that such capabilities are only suitable for the most mature enterprises, which have the knowledge, desire and resources to implement them fully.
Is this truly the case? Perhaps the benefits of advanced cloud security systems could be enjoyed by enterprises which still haven’t reached full cloud maturity. As the ‘cloud generation’ thinks differently about IT (did someone say digital transformation?), enterprises need a new way of assessing organizational security maturity that is more appropriate for the newest cloud security infrastructure.
Assessing Your Organization’s Cloud Security Needs
When I talk with prospects and customers, they have a solid and candid view about how ripe they are; larger organizations know how to assess their organization’s maturity based on different frameworks. It’s not a one-off exercise – they continuously monitor and reevaluate their maturity profile in order to be able to make the right decisions regarding cloud services and cloud security services.
I would like to suggest that we think about cloud maturity in a different way: we could compare this to an adult who is learning how to ski. Before you begin ski lessons, you need core muscles that are strong enough to control your movements, and the necessary equipment in the right sizes. Even once you start ski lessons, you’re not likely to ski all the way downhill on the very first try. You’ll spend some time getting used to the feel of the equipment and learning how to adjust your usual movements. In contrast, children who learn how to ski usually pick it up faster and can maneuver better than an adult beginner. It can be frustrating to the adult to see this happen!
For an organization, assessing their maturity profile is equivalent to discovering whether their body is healthy enough to ski. A person might do some exercises to test their fitness level, while an organization would test its maturity with a cloud maturity model. There are a number of different cloud maturity models – far more than we could possibly mention. Typically, cloud maturity models evaluate your organization against four, five or six levels of maturity.
Gartner uses an Enterprise Information Management Maturity Model that assesses five stages of maturity across seven key building blocks – vision, strategy, metrics, information governance, organization and roles, information life cycle and infrastructure.
The five stages of maturity are:
- Awareness of key issues
- Reacting to issues once they cause business loss
- Taking a proactive approach
- Actively managing information management
- Optimizing data usage throughout the enterprise
Maturity levels are not necessarily consistent across the organization. For example, customer-facing apps that need to be fast and powerful might have already reached level three or four, while older, business-facing apps which rarely need to leave maintenance mode remain at level one.
It’s easy to assume that only an organization that has reached a high level of cloud maturity is ready for an advanced cloud security system, but let’s delve a little more deeply into the possibilities.
Organizational Maturity Versus Cloud Security Maturity
Mature Organizations
The initial assumption is that a long-established organization would also be further along the pathway to cloud security maturity. However, this isn’t always the case. Instead of using popular cloud maturity milestones, organizations would do well to evaluate organizational maturity instead. That involves asking questions like:
- How is information siloed in various departments?
- How does information flow across the enterprise?
- Have any apps already migrated? If so, which ones?
- Are those apps that are cloud-based truly using the cloud in a dynamic way?
An organization that has been running for a long time could be plagued by silos, duplicate workflows and long-winded processes. Among the factors that can impede older enterprises are:
- Awkward legacy environments
- Inefficient inherited workflows
- Deeply siloed business information
- Complex architectures
- Strange and divisive infrastructure
In this position, a supposedly mature enterprise isn’t ready for advanced cloud security systems. All too often, older enterprises find they are unsure about what is in their own ecosystem. To use our skiing analogy, they understood the theory and bought all the top-end ski equipment, but they aren’t in good enough physical shape. They need to improve visibility into their infrastructure before they can implement their desired cloud security solution.
“Newer enterprises might be more ready than you think for advanced cloud security solutions”
‘Immature’ organizations
The expectation is that a new organization is unlikely to be mature enough to use advanced cloud security systems. However, newer enterprises might be more ready than you think for advanced cloud security solutions, thanks to:
- A more agile and streamlined environment
- A lighter burden of inherited infrastructure
- Much higher risk tolerance for testing new cloud services and structures, thanks to a lower investment in existing architecture and processes
- A more unified environment that isn’t weakened by a patchwork of legacy items
- Fewer existing silos
- Greater visibility into a less complex environment
Just like a child can learn to ski faster than an adult, a ‘young’ organization may be able to reach cloud security maturity faster than an ‘older’ one. Children who learn how to ski have less fear of falling than adults, and when they do fall, the consequences aren’t likely to be as serious. In the same way, older organizations are more risk-averse, and have more to lose if they fail.
Choose the Right Cloud Security Services for Your Organizational Maturity
As we’ve seen, traditional assumptions about cloud security maturity may well cause organizations to follow the wrong path. It’s vital that organizations use the right maturity model when evaluating their cloud security readiness. Some newer organizations may be ready to implement advanced cloud security services, even though they are not fully cloud mature. Their agility could enable them to use cloud security services in new and very effective ways. Like children learning to ski, their fearlessness serves them well.
Other, apparently more mature organizations, could be wholly unready for the most advanced cloud security solutions. They need to complete their cloud migration and digital transformation before making any drastic changes to their security systems. Like an unfit adult learning to ski for the first time, they need to increase their basic fitness level before striking out with something new.
All types of enterprises should remember that implementing cloud security solutions is not a binary decision. The enterprise could be mature enough to implement some advanced cloud security capabilities, but they will need to strive to reach the necessary security maturity so as to become better protected. No matter the age of the organization, cloud security services should be chosen to match their maturity and help them move towards greater maturity and security in the cloud.
