Form factor wars: Cloud-based or on-premises security technologies?

While most organizations are willing to consider cloud-based or on-premises security solutions, nearly one-third still demand the control associated with on-premises.

Form factor wars: Cloud-based or on-premises security technologies?
Ismagilov / Getty Images

Cybersecurity professionals are paid to be paranoid and tend to want to control everything they can to minimize surprises or third-party dependencies. This has always been the case with regards to security technology. Historically, CISOs mistrusted managed services, preferring instead to “own” the deployment and operations associated with their security technologies. 

While cultural attitudes toward security control remain today, demand- and supply-side changes are influencing new security technology decisions.

On the demand-side, CISOs are coping with a global cybersecurity skills shortage. According to research from ESG and the Information Systems Security Association (ISSA), the skills shortage has an impact on around 70 percent of organizations, increasing the workload on security teams, forcing them to focus the bulk of their attention on high-priority alerts only. That means while CISOs may want to “own” everything, they don’t have the resources to do so. 

On the supply-side, vendors such as CrowdStrike, Okta, Proofpoint, and Zscaler tend to eschew on-premises offering, opting instead for cloud-based SaaS security technologies. Other security technology vendors have quickly followed suit. That means innovation and flexible solutions are migrating to the cloud.

Cloud, on-premises or both?

Given these market dynamics, ESG wondered how security technology procurement and operations attitudes are changing (if at all). As part of a recent survey of 232 IT and cybersecurity professionals, ESG asked survey respondents whether their organization prefers on-premises security technologies, cloud-based security technologies, or whether they consider both options and then decide on a case-by-case basis.

The resulting demonstrates that security professionals’ attitudes are evolving — 42% consider on-premises and cloud-based security technologies and then decide on a case-by-case basis, 31% prefer on-premises security technologies, and 26% prefer cloud-based security technologies. Some quick addition demonstrates that 69% of organizations are open to or prefer cloud-based security solutions. 

OK, so why do nearly one-third of organizations hang onto on-premises security technologies so tightly? Not surprisingly, 40% say they prefer to control all aspects of security technology themselves, 37% believe their organization can deploy and operate on-premises security technologies better than cloud-based alternatives, and 33% admit they don’t want to store sensitive data in the cloud. It’s still all about control. 

How about those that prefer cloud-based security technologies? Well, 36% say cloud-based alternatives eliminate the time and resources needed to provision on-site resources such as servers and storage, 34% claim that cloud-based alternatives are constantly updated, eliminating the need for product upgrades, and 33% believe cloud-based security technologies can accelerate deployment time and time to value. It’s all about flexibility and operational efficiency. 

IMHO, there is no right or wrong answer here, and security technology choices will be governed by company culture, industry, resources, regulations, etc. Nevertheless, it’s important that security professionals realize that more and more technologies, security or otherwise, will be delivered as SaaS-based services. Like it or not, this will impact where innovation and potentially ROI benefits come from. 

To me, security solution decisions should be based upon how well it meets your requirements (i.e. security requirements, business requirements, financial requirements, etc.) — not form factor. Therefore, the 42% willing to consider on-premises and cloud-based solutions and then decide on a case-by-case basis have the right model.

Copyright © 2018 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022