Security is often thought of as an insurance policy—something you get to manage risk. What’s less talked about is the ways our security choices can actually enable business and expand what’s possible within organizations. Security can be a tool for resiliency and innovation.
Learning to maximize the value security can deliver typically comes from a couple of key sources: The first of which is from looking inside your own organization and partnering with other leaders to understand both the business needs and workflows.
Interviewing leaders across business units to understand their needs is a powerful first step. The knowledge you gain enables more informed decisions and helps you implement security technologies that support, and even accelerate, success. The other source of learning comes from educating yourself on challenges outside of your organization, specifically focusing on entities that have been victims of attacks.
As security professionals, we must take the hard lessons others have faced and put them to use for ourselves. Looking at how others’ incidents are handled gives you the opportunity to reflect—continually examining and re-examining your security strategies—informed by history rather than theory.
Beyond security “insurance” to business enablement
Business leaders who take the old “security-as-insurance-policy” approach mostly view their cybersecurity as an expense line item and a cost of doing business. The reality, though, is that security investments can also be an important cost avoidance method for organizations, protecting the value of the business.
It’s hard to provide a true dollar accounting for the value of a specific cybersecurity investment in advance—if I buy X tool it will save me Y amount of money. However, leaders need to think about their security in ways that go beyond the purchase cost.
This involves not only looking at what an organization stands to lose if they are breached by being unsecured, but also considering what soft costs the organization saves—associated with everything from deployment to ongoing management or usage—if they make sound choices. Some modern cybersecurity solutions enable organizations in ways that go beyond business continuity. One of those is SASE.
SASE isn’t just about security
Fundamentally, SASE provides two core things: connectivity enablement and security. On the connectivity enablement side, the deployment of SASE provides ways of working remotely in a highly resilient manner. The security piece is that SASE provides integrated security deeply embedded into the same technologies that provide the connectivity and enablement capabilities. So SASE isn’t just about giving business users security tools, it’s about creating new opportunities to work securely.
At Jefferies, for example, our traders had been using a trading turret system in our offices, which for the longest time had been a very physical thing. In the past, a turret system was always a big, bulky device that would sit on a desk on a trader workstation. However, by using SASE in conjunction with technology from the turret vendor we were able to devise a software-based version that our traders could use remotely, outside of the office.
Today we have a touch tablet that sits in our trader’s home offices next to their main laptop connected via a SASE architecture using Prisma Access from Palo Alto Networks. This new approach has enabled our IT team to support traders working remotely, without requiring massive amounts of hardware to be installed and deployed to every single user. It’s been a great example of how security—and SASE specifically—can enable the business to do something that was never possible before.
Beyond supporting traders working at home, SASE also helps to enable our branch offices. Previously, our company had a hub and spoke model for network connectivity where branch offices were backhauling traffic out to the closest regional data center. As a result, critical SaaS applications such as email, purely on Office 365, and everything else were going to the data center to access the internet.
If there was ever an issue with the data center or somewhere in between the branch and the data center, that could have meant real trouble. Not to mention the fact that application performance from the branch was often degraded. With a SASE model, our branches access applications in the cloud directly, while still being fully secured.
Not only that, but by moving our branches to SASE we have been able to improve internet resiliency and remove the dependencies that created a central choke point, which is our data centers. In doing so, we also decreased latency for SaaS-based applications and internet connectivity. It’s been a great win for us.
How to pitch SASE to the business
Getting your organization to buy into SASE and invest isn’t about pitching the term or detailing the technology behind SASE. On the contrary, that’s a path that will lead to blank stares, more likely than not. It’s also not about doom and gloom, telling leadership that something must be done to protect the organization. That approach may work to a certain extent, but it really plays into the old insurance policy mindset.
Instead, educate your leadership on the things that are going to benefit them: explain it in a way that doesn’t even talk about security. Focus your conversations with leaders and end users on the things that they really care about, which is the ability to get their jobs done. Few people care about security the way that security engineers do—so we need to explain it to them in ways that highlight how it will help them be more productive.
It goes without question that SASE has helped our business to be more resilient, and more successful. In times of natural disasters like a hurricane or human health challenges like the pandemic, SASE technology has helped to enable our security, remote connectivity, and business continuity. And that’s a lot of value to derive from making the right security decisions.
Josh Dye is Sr. Vice President of Information Security at Jefferies Group.