There's a shift in the balance of power when it comes to who can pull the trigger on decisions surrounding cloud applications, security experts agree.
As organizations turn to more cloud application solutions, line-of-business decision makers see the opportunity to improve their efficiency and capabilities and run with it. That push has resulted in a rapid rise in the amount of unsanctioned technology ordered by an organization’s "shadow IT," as chief marketing officers or other line-of-business executives have become empowered to make purchasing decisions without involving IT or the security team.
According to a recent study by NTT Communications, 78 percent of line-of-business decision makers said they use cloud services without the knowledge of their IT departments, or use unsanctioned technology. Most of that group, 62 percent, said "ease of use" is their primary reason for going around IT.
That approach marks a vast departure from when security experts were seen as the "Department of No," said JD Sherry, vice president of strategy and innovation at Denver-based Optiv Security. But the pendulum is beginning to swing again, he said, as security teams -- and chief information security officers -- are once again being invited to the table when it comes to making purchasing decisions and implanting cloud applications.
Rick Caccia, chief marketing officer at Exabeam, a security solutions provider based in San Mateo, Calif., said he also sees that shift happening.
"Where the business might have once adopted cloud services on its own," Caccia said, "today, CISOs typically offer and support cloud services to the business. CISOs understand the need to secure these services because they aren’t going away. Today, CISOs drive the conversation as much as business leaders."
Jason Ellis, global vice president of cloud for Symantec, Mountain View, Calif., said he's seeing line-of-business executives embrace conversations about compliance, auditing, privacy, management and governance in a way they never had before. That's exciting, he said, because it means security is sitting at the core of more decisions across the business.
"Regardless of the industry the organization is in, security is nonnegotiable these days," Ellis said. "Security is high on the C-level agenda and is in the driver's seat."
Sherry said there's a growing recognition on both sides that they need to work together, as security threats are being taken much more seriously at businesses of all sizes. Having a strategy in place on cloud security in particular helps align the two sides into a single point of view, he said.
"The CISO has to be empowered with the right cloud security strategy to look at the CIO and CMO, which are the two largest consumers of SaaS applications and Infrastructure-as-a-Service, to say, 'This is important to our business around ability and cost reduction, but you can't sacrifice security when you do it,' " Sherry said.