Solution Providers Smell Opportunity Amid Power Shift In Cloud App Purchasing Decisions

There's a shift in the balance of power when it comes to who can pull the trigger on decisions surrounding cloud applications, security experts agree.

As organizations turn to more cloud application solutions, line-of-business decision makers see the opportunity to improve their efficiency and capabilities and run with it. That push has resulted in a rapid rise in the amount of unsanctioned technology ordered by an organization’s "shadow IT," as chief marketing officers or other line-of-business executives have become empowered to make purchasing decisions without involving IT or the security team.

According to a recent study by NTT Communications, 78 percent of line-of-business decision makers said they use cloud services without the knowledge of their IT departments, or use unsanctioned technology. Most of that group, 62 percent, said "ease of use" is their primary reason for going around IT.

[Related: Partners Have Opportunities At The Juncture of Cloud Security And Analytics]

Sponsored post

That approach marks a vast departure from when security experts were seen as the "Department of No," said JD Sherry, vice president of strategy and innovation at Denver-based Optiv Security. But the pendulum is beginning to swing again, he said, as security teams -- and chief information security officers -- are once again being invited to the table when it comes to making purchasing decisions and implanting cloud applications.

Rick Caccia, chief marketing officer at Exabeam, a security solutions provider based in San Mateo, Calif., said he also sees that shift happening.

"Where the business might have once adopted cloud services on its own," Caccia said, "today, CISOs typically offer and support cloud services to the business. CISOs understand the need to secure these services because they aren’t going away. Today, CISOs drive the conversation as much as business leaders."

Jason Ellis, global vice president of cloud for Symantec, Mountain View, Calif., said he's seeing line-of-business executives embrace conversations about compliance, auditing, privacy, management and governance in a way they never had before. That's exciting, he said, because it means security is sitting at the core of more decisions across the business.

"Regardless of the industry the organization is in, security is nonnegotiable these days," Ellis said. "Security is high on the C-level agenda and is in the driver's seat."

Sherry said there's a growing recognition on both sides that they need to work together, as security threats are being taken much more seriously at businesses of all sizes. Having a strategy in place on cloud security in particular helps align the two sides into a single point of view, he said.

"The CISO has to be empowered with the right cloud security strategy to look at the CIO and CMO, which are the two largest consumers of SaaS applications and Infrastructure-as-a-Service, to say, 'This is important to our business around ability and cost reduction, but you can't sacrifice security when you do it,' " Sherry said.

Helping define that strategy and balance in the organization between IT and line-of-business executives is an area ripe with opportunity for partners, Sherry said. Partners can play a key role in helping customers define their cloud security strategies, he said, creating a balance that safely enables cloud applications.

Sherry said Optiv -- No. 25 on CRN’s Solution Provider 500 list -- plans to launch an entirely new solution around that area this summer, called the SaaS Security Blueprint, which will advise clients on consuming cloud services and how they need to plan from a security perspective.

"I think you're seeing our conversations around this space really benefiting the CISO," Sherry said. "We can work with them to define the strategy."

The process of building that strategy is twofold, according to Julian Martin, vice president of product marketing for London-based solution provider Mimecast. He said partners have to help remind CISOs of the security concerns around shadow IT, and help educate boards of directors on the importance of layering the additional cost of security on top of cloud applications.

"Cloud adoption with prevention, reporting, analytics -- call it what you want -- involves many departments across the business as it effectively changes the way you work. The role of both the partner and the vendor has to be in informing and reporting at all levels -- IT and beyond," Martin said.

Having that type of conversation gives partners an opportunity to establish themselves as trusted advisers, leading to more value-added services with greater margins, Exabeam's Caccia said. For example, he said, a partner could create a multivendor cloud solution and wrap security assessments, planning and implementation services around that solution.

"The partners need to do this to survive; it’s too difficult to stand out on margins alone," Caccia said. "Therefore, many partners are placing bets on specific vendors to better tie the solutions together and to tie them to value-added services."

That shift in balance between the CISO and lines of business is indeed being forced by the growing adoption of cloud applications, which have already largely penetrated enterprise organizations, according to Doug Cahill, senior analyst for cybersecurity at Milford, Mass.-based Enterprise Strategy Group.

"The cloud is already in use," Cahill said. "The pragmatic CISO will embrace the role of an enabler and will partner with their lines of business on the secure use of those cloud applications, which is in contrast [with what happened in the past] of simply employing a draconian policy of no cloud applications or 'only this' cloud application."

That's a trickier balance for businesses to achieve in the cloud than on- premise, Cahill said, as the cloud enables the CMO and other executives to implement applications without consulting the IT department. That makes the lines of business more agile, he said, but also demands more collaboration for security to remain part of the conversation.

"There needs to be a higher level of collaboration around cloud applications than that around traditional or on-premise applications," Cahill said. Cloud access security brokerage (CASB) solutions are also a good tool to help CISOs manage cloud application security, he said, as well as demonstrate appropriate workflows and risk ratings to line-of-business executives.

It's a shift that will only accelerate in the years to come, the NTT Communications study found, with 87 percent of respondents saying they think the use of technology coming from lines of business will increase over the next two years. The reason for that, respondents said, is that the data involved and efficiencies created are critical to their functionality in the business. That trend further highlights the need for the security and line-of-business teams to work together, Len Padilla, vice president of product strategy for NTT Europe, said in a statement about the study's results.

"With today's vast technological landscape, it is impossible for one department to understand the technological needs of every department in the enterprise," Padilla said. "By forging a relationship with business managers, IT can view shadow IT as an opportunity to work together instead of playing a tug-of-war game over applications."

The good news for the security department when trying to shift the balance in its favor is that security awareness across the board is at an all-time high, according to Thom Bailey, senior director of product marketing at Abingdon, England-based Sophos. That has led to security being "baked into" more applications, as well as driving more productive conversations around cloud application security within business, he said.

"I think the market as a whole is becoming a lot savvier to security in general," Bailey said. "The proliferation of cloud means the number of attack surfaces has gone up. It's not just good enough to put in place your standard antivirus, anti-malware and firewall."

Rather, Bailey said, "you have to build an entire culture around security."

Follow all of CRN's Cloud Security Week 2016 coverage.