This post originally appeared on LinkedIn.
While the best-managed crises are undoubtedly the avoided ones, there are some that plunge businesses and countries into turmoil en masse. The current global pandemic reminds me of the expression that you should “never waste a good crisis.”
Indeed, the current crisis is driving change. Early in the pandemic, Fortune surveyed Fortune 500 CEOs, and three-quarters said COVID-19 would be accelerating their company’s technological transformation.
If such dramatic enterprise transformation is to happen, it will be Chief Information Security Officers (CISOs) who lead it. This crisis represents an opportunity CISOs to build on transformation momentum—but only if they leave behind old-world thinking. CISOs and their security teams must stop trying to mold legacy networks and security models to fit an evolving business world, and instead recognize security as an engine to drive strategy.
Before the crisis
As infrastructure and applications have “decentralized” to the cloud, progressive IT organizations have begun retiring outdated, vulnerable, perimeter-based legacy “castle-and-moat” security architectures that aimed to protect on-premises data from outside threats. At the same time, they are sunsetting similarly archaic “hub-and-spoke” network models that backhaul corporate traffic through the data center. The vision: A cloud-based services model, with direct connectivity to applications and internal resources.
The current crisis has become a litmus test of cloud-migration commitment: Enterprises well on their way to embracing network and security transformation fared better than ones that had put off major network and infrastructure overhauls.
Crisis is a disruptor
The etymology of the word “crisis” includes the notions of “judgment” (perception of risk, its imminence, and related impact) and “decision” (reactions to and strategies for embracing change). Judge what risks are faced, then decide what actions to take. Crisis “pain” stems from an inability to take the actions needed based on those judgements and decisions.
Crisis management is an essential component of business strategy. Over the last decade, with the overwhelming shift of business to online models, the focus of crisis management has been around IT security rather than physical implications. The unprecedented COVID-19 health crisis happened as many companies were on their way to enacting new security and network architectures. How much pain the crisis caused each business often depended on the maturity of their transformation process.
Currently, many workforces can’t get back into the office. These same workforces need to perform vital company functions—wherever they sit. How do you securely connect remote workforces to cloud-based and on-premises resources?
In the legacy, secure-the-perimeter world, VPNs would be the only option. But VPNs can’t easily (or affordably) scale to accommodate dramatic traffic volume growth. Worse, VPNs also pose higher security risks: How do you secure the perimeter of a corporate network that now encompasses the entire internet? Connecting users to the corporate network from unmanaged endpoints exposes network access paths, allows unmanaged east/west traffic communication across the network, requires complex policy definition, limits comprehensive monitoring, provides bad user experiences, and creates architecture headaches.
In the modern world, where data does not always (or even often) reside in the data center, backhauling internet traffic through the corporate network then back out to the cloud no longer makes sense. It’s inefficient and expensive. Traffic should take the path of least resistance, go direct-to-cloud, and provide a fast and seamless experience.
As such, the pandemic caused more “crisis pain” for companies clinging to legacy security and network architectures than it did for companies that were well down the path of their digital transformation journey. Using our crisis etymology, digitally transformed companies could make judgments about crises' business ramifications and then agilely decide on responses. They could enable work-from-anywhere experiences with little to no impact to work efficiency. Other, less-mature companies struggled. To enable remote access, they were forced to improvise, then pivot to (what were for them) new network and security architectures—changes that came with high costs and impacts to productivity.
Don’t get disrupted by crisis
Cloud services have become so integral to business strategy, operations, and productivity that their effective enterprise use influences business performance and earning power. The pandemic has shown that companies must react quickly to dramatic change. And companies that leverage the cloud are more agile than organizations that don’t.
We can’t easily predict the future. Is company-wide telecommuting here to stay? Are brick-and-mortar offices on the way out? Maybe, maybe not. But the future will look different: telecommuting (in whatever form) isn’t going away, and CISOs must prepare for “work from anywhere” in future business strategies. Should CISOs seek to make incremental improvements to legacy systems so that they continue to limp along? Or should they embrace new business models that enable network transformation? (Hint: It’s the latter.)
Change can be hard. But now is the right time to rethink network infrastructure. For some, “digital transformation” may have just been a buzz phrase before the pandemic. But now it’s a mission, and a path forward to enterprise agility. Network and security architectures must have the flexibility to address company-wide change—and address it quickly—for enterprises to remain functional. And that means decentralization of network resources, and migration to the cloud.
Secure Access Service Edge (SASE) and Zero-Trust Network Access (ZTNA) represent the future of enterprise architectural agility and resilience. I work for a company that helps companies use the new cloud-driven model as it was intended: as a decentralized infrastructure that engenders growth and productivity. The pandemic has challenged everyone, but we cannot “let it go to waste.” In response to the current crisis, today’s CISOs must learn from it and pivot to transformation. Otherwise, they will fall further behind, and be even less prepared the next time a difficult situation arises.
Will your enterprise disrupt or be disrupted by the next crisis?