Click here to close now.


@CloudExpo Authors: Steve Watts, Elizabeth White, Pat Romanski, Liz McMillan, Flint Brenton

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, SDN Journal

@CloudExpo: Article

Seven Causes of IT Security Paralysis & Cloud-Based Cures

From cost to complexity to covered to complacency; the excuses no longer hold up

Over and over again I am confronted with disturbing statistics on how risk is growing in disproportion to security readiness.

-91% of companies have experienced at least one IT security event from an external source.
-90% of all cyber crime costs are those caused by web attacks, malicious code and malicious insiders.
-40% reported rogue cloud issues (shadow IT) experienced the exposure of confidential information as a result
-34% share passwords with their co-workers for applications like FedEx, Twitter, Staples, LinkedIn.

These are real stats from studies by like Gartner, Forrester, Ponemon, Kaspersky, Eschelon and others. But there’s one stat that really curls my hair (what little of it is left).

  • Due to complexity, over 70% of organizations still not adequately securing critical systems.

Wow. It’s a staggering number. But it got me to thinking why. What is causing this universal security paralysis? Now I’m not proclaiming securipocolypse, but knowing what we now about the realities and fragility of an IT environment, I am a bit taken aback at the size of the issue.

I’ve broken it down into seven “excuses.” But rather than bemoaning the problem, I want to  rebut those excuses by promoting cloud-based answers.

  1. It’s expensive
  2. It’s time consuming
  3. It’s resource heavy
  4. There’s perceived imbalance in the risk/reward quotient
  5. We’ve got it covered
  6. We haven’t been attacked/complacency
  7. Expertise difficult to retain

Cost: There is no doubt many companies think that a fully integrated security program is going to force it to open its wallet. It is predominantly this reason alone that so many companies  ”get by” with what they have—be it malware or firewall protection, an email sniffer, or based on compliance requirements, whatever is the smallest investment to  get the alphabet soup of agencies off their back.

How cloud security overcomes the obstacle. It’s simple, really. More bang for the buck.  Using the ability to apply operation expenses over capital ones is a significant savings in itself. No expensive servers to buy, no software to maintain and watch depreciate, etc… More importantly is the realization that a company can incorporate a fully capable enterprise juggernaut for pennies on the dollar they would otherwise spend to manage on-premises. Most of us are already aware of the justifying benefits that cloud-based applications provide. I’ve gone on record before stating that for the amount a mid-size company currently pays in support and maintenance for their on-premise initiative, they can easily deploy a robust, fully integrated, fully-capable suite of enterprise-class security solutions from the cloud. The stumbling block here is the proof that such a deployment can adequately meet the specific needs of the unique company.  However by applying the 80/20 rule, by covering 80 percent of a company’s needs, it is more than likely well ahead of anything they are currently doing. Now on top of all that is all the professional services and consulting costs that ostensibly go away, or at least are tremendously reduced when managing from the cloud.

Time: There’s just never enough of it. Every IT pro I talk to wears many hats. They are installers, monitors, coders, patchers, reporters, developers, and a hundred other chapeau descriptors. And security in the modern enterprise needs to be a fully dedicated concern. Sure there are some companies that can afford this, but most can’t…it’s just another line of job description.

How cloud security overcomes the obstacle. Being proactive takes time. By applying security as a service, you remove any additional headcount. You can take the time that was dedicated to certain security functions and reprioritize them for core business functions. Also the fact that so many of the cloud security functions are automated—from self-service password management to HIPAA/PCI compliance reporting to role-based provisioning to correlated alert escalation— give rise to a surplus of  available resources.

Resources. In many companies this is the premium currency. And, in many companies resources are spread devastatingly thin. Whether we are talking human resources, financial resources, spatial resources, application/functional resources or knowledge resources, the ability to weigh and deploy the right amount of assets towards an issue, directly effects its successful management. In every company resources are finite and typically require hard decisions where best to position assets to ensure the smooth running of an enterprise. This is especially true when applied to security.

How cloud security overcomes the obstacle. Security managed from the cloud relieves a great deal of the resource overload. It provides the additional capabilities at a lesser cost. With this expanded functionality and potential, one can create greater awareness and better visibility across a larger scope of information. So not only are you expending less resources to secure many aspects of your enterprise, but it’s  ability to divine things faster and clearer provides a unique advantage to control a greater  scope of the IT environment. By leveraging and unifying these resources, you now know things that would have remained invisible. Therefore you gain the ability to make better decisions faster—giving you the ability to best marshal resources (minimizing costs and maximizing efficiencies) where they need to be.

Risk/Reward Imbalance. The expense of security does not necessarily pay for itself. It’s a cost center, right? But security must be perceived as more than a purchase of some software and the manpower to run reports. There are other factors to consider. The balance sheet doesn’t show the lost business because of lack of trust or poor security reputation. It doesn’t show the savings as it prevents proprietary secrets like sales databases walking away to the competition when an angry employee can gain access weeks after termination. It doesn’t show the fines and lost time when compliance isn’t met. But the big question is not that you apply a security measure or not. That point is moot, you simply have to. However the question CSOs and CIOs struggle with is how much? Where is the tipping point between peace of mind and overkill?

How cloud security overcomes the obstacle. The biggest reason for the risk-reward imbalance is typically the reasons noted already. It’s costly, it takes a certain percentage of manpower, and it’s complex. But if cloud-based security capabilities remove those obstacles, the balance starts tipping more heavily toward reward. If an organization can deploy a fully-integrated, unified security platform for what it is paying now for its current bits and pieces, AND have it properly monitored and analyzed without adding headcount, AND have it deployed to the company’s unique specifications and scale, then the conversation becomes about performance rather than scope; then the TCO drops and the ROI begins to climb.

Covered: Log management, by itself, won’t cut it. Neither will just web access control or firewall protection. In some cases, it may bring you up to the letter of the law with regard to compliance, but if security is like a house, the door is locked but all the windows are open. If you’re of the 30% who truly are properly secured, then stop reading. But if you are most companies, you really don’t have it covered. The excuse is simply code for I have other fires to put out, and it isn’t a large enough issue for me to raise it up on the priority scale. I should know, I use it as a default setting for most sales calls.

How cloud security overcomes the obstacle. Quick answer is a unified security deployment from the cloud allows you to fill in the gaps of where you currently are lacking. Not consistently monitoring? Check. Not controlling access to certain applications. Check. Not analyzing data and creating escalation alerts in real time? Check. It doesn’t have to be a replacement strategy—get rid of all the investment and hard work you’ve put into a certain systems, solutions, processes and tools. The beauty of the cloud is you can pick and choose the pieces you need easily and have them leverage any existing program. It is scalable, flexible and manageable.

Not attacked: Do you know that for sure? If you are not checking for termites, doesn’t mean your house isn’t infested. Those who think their organizations are too small or too unimportant for hackers to care are only seeing part of the picture. It’s common understanding that it is not an issue of ‘if” anymore, but a measure of “when.” an IT security event will occur. Still not convinced? Hackers are banking on this thought process to use these systems as stepping stones for larger fish. If your system is open and you connect to larger payment systems or applications, you are open to danger. Second, not every danger is some barbarian at the gate. Sometimes the threats (or carelessness) come from within. Again, check the stats. 91%. If you are part of the 9% who hasn’t been touched by an IT security event, I want to know what you’re doing right!

How cloud security overcomes the obstacle. Simply apply one of the free trials of any of the cloud-based SIEM solutions out there that monitor in real time and you will have your eyes opened into how much activity is pinging your system every day. I am fond of telling the story of a significant retailer who had thought they had a pretty good handle on what was going on in their environment. After our SIEM system had been monitoring intrusions and the like for just over a month, the results were starkly different than the client anticipated. It was more than triple the amount of negative activity they thought.

Lack of expertise: Finding the right person to deploy and manage a top notch security program is tough. Stats say (MSP Alliance) that unemployment for pros with these skills is less than 1%. And once you find them, they are expensive to recruit and keep. In fact their salaries have doubled over the past three years.

How cloud security overcomes the obstacle. Security as a service builds in the expertise required to monitor, analyze, and manage a strong security presence. Through this version of outsourcing, you not only save on the hard costs of salary, but the soft costs of training, ramp up, benefits, vacations, etc. Yet  more than the costs, is the propagation of continuous tribal knowledge of orchestrating, manipulating,  analyzing the vast amount of inbound data, and applying the right actions quickly and decisively to keep the IT landscape operating smoothly, in the confines of compliance and strategically viable. In the end, this is one of the most valuable assets cloud security offers.

There’s no longer an excuse to be part of that 70%!


Kevin Nikkhoo

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound...
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace. Traditional approaches for driving innovation are now woefully inadequate for keeping up with the breadth of disruption and change facin...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
In his General Session at DevOps Summit, Asaf Yigal, Co-Founder & VP of Product at, explored the value of Kibana 4 for log analysis and provided a hands-on tutorial on how to set up Kibana 4 and get the most out of Apache log files. He examined three use cases: IT operations, business intelligence, and security and compliance. Asaf Yigal is co-founder and VP of Product at log analytics software company In the past, he was co-founder of social-trading platform Currensee, which...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
I recently attended and was a speaker at the 4th International Internet of @ThingsExpo at the Santa Clara Convention Center. I also had the opportunity to attend this event last year and I wrote a blog from that show talking about how the “Enterprise Impact of IoT” was a key theme of last year’s show. I was curious to see if the same theme would still resonate 365 days later and what, if any, changes I would see in the content presented.
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user e...
In recent years, at least 40% of companies using cloud applications have experienced data loss. One of the best prevention against cloud data loss is backing up your cloud data. In his General Session at 17th Cloud Expo, Sam McIntyre, Partner Enablement Specialist at eFolder, presented how organizations can use eFolder Cloudfinder to automate backups of cloud application data. He also demonstrated how easy it is to search and restore cloud application data using Cloudfinder.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York and Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty ...
Internet of @ThingsExpo, taking place June 7-9, 2016 at Javits Center, New York City and Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 18th International @CloudExpo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world and ThingsExpo New York Call for Papers is now open.
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
Today air travel is a minefield of delays, hassles and customer disappointment. Airlines struggle to revitalize the experience. GE and M2Mi will demonstrate practical examples of how IoT solutions are helping airlines bring back personalization, reduce trip time and improve reliability. In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect with GE, and Dr. Sarah Cooper, M2Mi’s VP Business Development and Engineering, explored the IoT cloud-based platform technologies driving t...
There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content. Join @ThingsExpo conference chair Roger Strukhoff (@IoT2040), June 7-9, 2016 in New York City, for three days of intense 'Internet of Things' discussion and focus, including Big Data's indespensable role in IoT, Smart Grids and Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) IoT's use in Vertical Markets.
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
We all know that data growth is exploding and storage budgets are shrinking. Instead of showing you charts on about how much data there is, in his General Session at 17th Cloud Expo, Scott Cleland, Senior Director of Product Marketing at HGST, showed how to capture all of your data in one place. After you have your data under control, you can then analyze it in one place, saving time and resources.
SYS-CON Events announced today that Alert Logic, Inc., the leading provider of Security-as-a-Service solutions for the cloud, will exhibit at SYS-CON's 18th International Cloud Expo®, which will take place on June 7-9, 2016, at the Javits Center in New York City, NY. Alert Logic, Inc., provides Security-as-a-Service for on-premises, cloud, and hybrid infrastructures, delivering deep security insight and continuous protection for customers at a lower cost than traditional security solutions. Ful...