Defining A Modern Security Strategy For Your Organization
By Kazim Somji, Chief Technology Officer
March 2, 2021
Microsoft published some interesting ideas on their Azure cloud adoption framework strategy guidance. The focus was how to define a security strategy and, as we are talking about Azure, this naturally included cloud security, but it was good to see that the Microsoft advice is to follow an approach to security that embraces all forms of risk. There is no separation of ‘regular’ security and ‘cloud’ security.
When planning a comprehensive security strategy your end objective is not just to deploy a cloud-based solution for your business. Moving to a cloud solution is not itself a security strategy – although it may help. Your cloud becomes an integral part of your operational reality and therefore you need to focus on how to reduce the business risk of an attack on any of your data or information systems, wherever they are located.
The Microsoft document is fairly detailed and is a very good baseline for anyone defining a new security strategy, but I’d like to draw out a few of the specific elements that I think are worthy of extra attention. These include:
- Modernize your security strategy: as your organization adopts a cloud strategy, and then adapts how it is used over time, you will need to adjust your architecture, technology, and security. The aim of a modernization program is to remove some of the burden associated with legacy security and tools. The security team is often left out of the decision-making process when a new cloud is adopted as a result of legacy approaches to technology and security. Often, an entire culture of bringing security to every part of the organization has to be adopted before any other meaningful change can take place.
- The right level of security friction: security creates friction – we all know this. Every user with a forgotten password knows that applying more and more security to the system can eventually make it difficult for authorized users to do anything productive. You need to build a strategy that makes life relatively easy for approved users, but with the retention of security.
- Standalone and integrated responsibilities: some security functions need to operate as dedicated and standalone, while some need to be tightly integrated into business departments. This will require expertise in different areas within the business but will almost certainly be transforming constantly and therefore needs a flexible approach.
In my next few articles, I will explore each of these topics in turn. As I mentioned, they are not the only areas you need to think about when defining a new security strategy, but in my opinion these three subjects are often the most overlooked. Careful consideration about topics such as security friction before you even start building out your security strategy can prevent expensive mistakes further down the road.
Computing in general is undergoing a major transformation at present. The adoption of cloud is similar to when companies started rolling out a computer on every desktop or installing their own servers inside the office. There will be a technological disruption but change ripples throughout the organization. Long established roles, responsibilities, skills, and relationships will all need to change.
Job descriptions and places inside the corporate hierarchy that mapped well into a traditional enterprise do not fit well once a cloud is adopted. The technology industry has been trying hard to normalize this new model, as this detailed plan from Microsoft describes. They are not just arguing that every company needs to buy an Azure solution, they are making it very clear that cloud adoption will change (and improve) how your organization functions.
Security teams are affected by this transformation of the business and the technology they need to support. This is why it is important to modernize your entire security strategy – to redefine how security will work in the new normal for your business.
WatServ demonstrates best-in-class capability and market leadership through proven technology and customer commitment.
WatServ is an IT solutions provider that helps clients digitally transform their business through cloud technologies and services. Founded in 2006, WatServ specializes in providing hybrid and multi-cloud solutions and hosting complex, high-availability environments for enterprise-level applications. WatServ’s unique approach to planning, migrating and managing multi-cloud environments, plus premium 24x7x365 support, enables its global customers to focus on their core business. Relying on Microsoft and Google’s public clouds, in addition to its own private cloud, the company offers an ideal managed cloud environment engineered for security, reliability and performance. With offices in Canada and the United States, and with 1000’s of users connecting from around the world, WatServ is always on. For more information, please visit www.watserv.com.
WatServ is an affiliate of Brookfield Business Partners (BBU), a public company with majority ownership by Brookfield Asset Management Inc. and listed on the New York and Toronto Stock Exchange. More information about BBU is available at www.brookfield.com.