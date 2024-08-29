As more enterprises move to hybrid cloud environments, hybrid cloud security has become imperative to business growth. According to a 2021 study by the IBM Institute for Business Value (IBV), 80% of executives expected their organizations to operate more than 10 distinct clouds by 2023, up from eight in 2020. “The scale of most enterprise hybrid cloud deployments is so vast and penetrates so deeply that the need for an all-in security culture is absolute,” says Shue-Jane Thompson, managing partner at IBM Consulting. “And it should emphasize the business case for security.”

Security is fast becoming a conversation about empowerment versus just protection. The IBV study “Prosper in the cyber economy” found that 66% of business executives view cybersecurity primarily as a revenue enabler. This requires shifting from a defensive strategy, built on detection and response, to a mature security posture that emphasizes operational efficiency, financial performance and competitiveness. Instead of thinking about security as a traditional expenditure for your organization, approach it as something that can become a value proposition for partners and end customers.

Thompson points to companies that leverage security as a revenue source by charging a premium for highly secured services or products. “More and more, security is becoming a standalone procurement,” she says. “Customers are buying security as a program. They believe security is not just bought as a small portion of the system or the application they are building. They believe security must be managed and controlled across the total asset.”

Moving from a defensive stance to an offensive strategy starts with understanding trends in the security landscape. A wider adoption of hybrid cloud naturally presents important concerns due to the vast web of interconnectivity between public and private cloud platforms. Many cloud-based environments rely on Linux for their operations, and in 2022, IBM Security X-Force reported dramatic increases in Linux malware. Threat actors are also blending malware with legitimate traffic on cloud-based messaging and storage platforms and targeting Docker containers, which are often used in platform-as-a-service cloud solutions.

“The biggest challenge for security is the complexity, the scale and the velocity at which it needs to operate. Organizations need a heterogeneous security policy that they can also bring down to market level,” Thompson says. International organizations, for example, need security strategies that can satisfy the regulations of every country in which they operate, meet specific customer demands and stay ahead of business-specific threats, whether from broad DoS attacks or sophisticated, targeted phishing. The proliferation of hybrid cloud environments means organizations now have a larger attack surface. Cybercrime will continue to rise, and attacks on these environments are costly and tough to detect. According to IBM’s “Cost of a data breach 2022” report, it takes an average of 252 days for an organization to identify and contain a breach that occurred in a hybrid cloud environment, and the average cost is USD 3.8 million compared to USD 4.24 million for private cloud breaches and USD 5.02 million for breaches in public clouds.

Adding more controls or point solutions is not enough for organizations that want to tap the business benefits of a “security first” mindset. Organizations need orchestration, continuous threat management and resiliency. Two primary enablers: educated employees and sophisticated security solutions. Per data from a 2022 Verizon report (link resides outside ibm.com), as many as 8 in 10 security breaches are caused by human error. As Thompson says, “How will you be able to help humans make better decisions? That’s where the transformation in culture becomes important.” Here’s what these transformations can look like in organizations that want to embrace a security-first mindset as a business differentiator.