Most times the truly interesting things I hear are from the mouths (and keystrokes) of our customers. Last week talking with a client about their move to the cloud, which they called the “cloudpocolypse,” there was a large aside about the overall roadmap they saw for the cloud. It wasn’t that what they said was unique. I’ve heard many others say the same things before. But few have such clarity. I wrote down what they said (and asked permission to use it on terms of anonymity):
“Everything that’s IT-powered but business focused is going to move to the cloud. The business doesn’t care who takes care of all the janitor stuff, only that they get results. Those cloud vendors are best positioned to give them those results. But no one in the cloud understands our people or our policies. That’s why the last thing standing in my datacenter will be AD. And I don’t see any way for them to move it while we still hand out logins and laptops.” – wise enterprise architect
This is a very dense set of ideas and I’ve been reflecting on it ever since.
He labels the whole movement the “cloudpocolypse” because it’s going to play havoc with his ability to budget. As the business sees less and less coming out of IT when they are doing their day to day work, they begin to question what IT is doing at all. Somehow it’s easy for them to miss the hardware they click on to get to those cloud apps, the networks that connect them to the cloud, and the frictionless security protecting them as they work. That last one is designed to be easy to miss, but you think they may take note of the keyboards their fingers hit. Certainly they notice when the network goes down.
What all these things have in common is that they are made up in very large part of security. IT isn’t customizing laptops today. The hardware tends to be plug and play. Most helpdesk folks will sooner ship you a new machine than spend cycles on broken hardware. Much of the time and effort in connecting you to the cloud is in doing it securely. Almost all the effort in keeping your hardware going is patching, locking down, and getting it to keep your communications and data secure.
These are all services that IT run that secure your endpoints and your identities. Identity is the new perimeter for nearly all security. Who you sign in as and how you authenticate is vastly more important that where you are typing and what network you are on. (For those thinking “But what about fingerprinting and NAC” please remember that these are useless without identity to dictate what policy to apply because of who you are.) More and more, security is not a part of IT, but is the main focus of it.
What the Last Server Standing Will Do
This representative quote talks about the needs to protect “laptops and logins.” This tracks very well with what we see afoot in the security market today. Some of the fastest growing segments of the high paced security market are endpoint security and securing privileged identities. Malware makers get more and more creative every day. We’ve moved from simple viruses to botnets to evasive malware and ransomware. All of these are after your data. And most of them are trying to use your identity to steal that data. Handling identity securely is about more than malware, though. So much hinges on authentication and authorization today – not the least of which is access to all those resources moving to the cloud.
The last servers standing in your control (even if they also move to a hosted model of some kind) will be the systems you build to ensure the integrity of your identities and endpoints. Contracts will be the main vehicle to ensure your SaaS and even PaaS providers are giving you what your organization needs. However, the specifics of who, according to the will of your board and executives, should be able to access what are policy details so complex and unique to every organization that they will always be managed in-house. I’ve spoken with many organizations that see their security policies as competitive advantages. They say that the right policies make the difference between an organization you can both trust and rely on (trust to handle your data secure and rely on to do it efficiently) and one you cannot.
The Leader is the One Who Says Yes
It’s a security marketing meme at this point. They say to shift from being the “department of no” to saying yes to things. And that is important. But that’s not the yes I mean. One consequence of security of endpoints and identities being the final state of well-governed IT is that the people who do that are going to be rocketed to leadership roles.
While most IT leadership teams have always had operations and infrastructure in the lead and security as a role in the “also ran” category (when it was included at all), the future is shaping up to be security led.
While the traditional IT groups are getting gutted by the cloud, which the board and execs see as a cost panacea, security is in a position to get a windfall. The number one concern about cloud remains security. If you can find a way to enable the organization’s “yes” to cloud by supplying the security solutions that make it seem safe, then you have just stepped forward while everyone else stepped back.
You can see great examples of how some security folks got thrust into leadership roles on our panel from Gartner’s Security & Risk Management Summit. If you don’t have the hour right now, the tl;dr is the folks who showed leadership in security suddenly found themselves favorites of the board for guidance on how to move everything forward since security was such a big concern. Some of them were aware that’s what they were up to and others weren’t. The wise enterprise architect from the quote above is one who is. He’s playing the long game to become a big wheel in his organization. It will be interesting to watch how security leaders, many of whom I bet aren’t thinking about anything like leadership, will react as they suddenly are thrust into center stage. What’s for sure is that the nexus of forces moving IT today will put them in the spotlight. Ready or not.