Are cybersecurity investments wasted money?
No matter how much money we throw into cybersecurity, it seems to have little impact on reducing the damage of breaches and attacks. In fact, we are starting to see significantly diminishing returns when it comes to cybersecurity investment: despite security more than doubling its proportion of global IT spend in the past 3 years, the cost of security breaches has continued to grow at an exponential rate – hitting almost US$450 billion in 2015. In the words of VMware's CEO Pat Gelsinger, “the only thing outpacing security spend today is security losses."
The reason is simple: for all the investment into cybersecurity, it remains largely an afterthought for both IT professionals and C-suite executives. Investments are executed in a knee-jerk fashion when a threat emerges or, worse still, only after it incurs major losses to the business. Even proactive measures are treated solely as point solutions for specific threats, rather than how they fit into broader IT infrastructure. And when it comes to strategic decisions around digital transformation, technologies like cloud and mobile rightly fill the agenda – but security implications typically get left to last, if at all.
Businesses need to entirely restructure security if they want their investments to protect them. They need to treat security as a layer on top of all other IT infrastructure, one that can readily adapt to growth in scale and complexity of systems. They need a software architecture that allows security innovations to be rapidly translated into policies on an enterprise-wide level.
Surprising as it may be, that architecture already exists. It's called virtualisation.
Virtualisation and the security layer
By de-coupling physical infrastructure from apps running on it, virtualisation made possible everything from cloud computing to virtual desktop infrastructure. Its ubiquity throughout enterprise IT – governing compute, storage, network, and clouds – makes it an ideal architecture on which to “grow” security policies that provide full enterprise coverage, not just piecemeal stop-gap fixes. When a new cloud or network is added to the enterprise, security policies automatically extend to it without the issues of compatibility or downtime associated with implementing point solutions.
At the same time, virtualisation allows IT to customise security at a granular level, using micro-segmentation to link security policies to specific types of workloads and automatically provision them in each specific instance. Network virtualisation, for example, can apply security rules whenever a VM spins up and remove them if the VM gets de-provisioned, keeping security coverage both rigorous and lean with minimal reliance on manual procedures.
But perhaps virtualization's biggest boon for IT security professionals is that it operates hand in hand with all existing security products. Rather than necessitating an enterprise-wide replacement of all security applications with a single “master” platform, the virtualisation layer instead allows IT to govern them from a single point of control. More advanced network virtualisation layers like NSX even connect these security applications to one another to share critical security information – and drive faster responses – in real time.
Investment that “raises all boats”
So how can enterprises use virtualisation to make their security spend more effective? The first step is for IT and the C-suite to acknowledge that security must come at the start, not the end, of decision-making processes. Both parties should work together to come up with a plan for how security will meet fast, complex infrastructure growth in a sustainable way – a plan which will inevitably involve virtualisation architecture.
Finally, IT should explore how best to use both new and existing virtualisation platforms to “raise all boats” with performance benefits to all existing applications in their security portfolio. Ideally, virtualisation will connect individual security applications to one another, seamlessly integrate with new innovations when introduced, and automate policies whenever new endpoints or assets come online, reducing the likelihood of vulnerabilities emerging as networks and clouds grow. As IT moves to adopt newer forms of virtualisation – like network virtualisation and even cloud virtualisation – implementation teams should begin to define security at the virtual layer rather than physical device or application levels.
Businesses literally cannot afford to be throwing money away on cybersecurity. The costs of an ineffective security policy are only growing; the risks of breaches already threaten to cripple basic operations and profitability. Virtualisation may be an unlikely candidate as a whole-of-enterprise security architecture, but its ability to span, scale, and automate complex infrastructure is by no means untested: just look at today's enterprise networks and the cloud.