Business transformation remains aligned to technological advances, according to more than four fifths (81%) of global CEOs. Yet in the rush to achieve digitally enabled change, the constraints of current security models and thinking pose a fundamental risk to the business. When organizations are faced with wholesale and expensive security redevelopment to embrace the cloud, extend the capability of a remote office, support flexible working, or even upgrade data center requirements it is no wonder corners are cut and security postures compromised as a result.In a \u2018disrupt or be disrupted\u2019 competitive environment, businesses need true flexibility when it comes to security to enable CISOs to protect today\u2019s extended organization - flexibility that puts users, applications and secure access at the centre of a watertight security model.Fundamental disconnectDespite the ever-increasing threat landscape, the vast majority of organizations appear to need little incentive to side step essential security requirements.\u00a0 Indeed, despite clear understanding of the devastating financial and reputation implications associated with a breach \u2013 Equifax or Deloitte anyone? \u2013 push back on the cost of essential security investment is a constant.While the vast majority of organizations now acknowledge that business growth is reliant on digital transformation and accept that IT deployment and security is now vital, there remains a fundamental disconnect.\u00a0 For when the CIO presents plans to move part of the infrastructure into the cloud or upgrade the connection between remote offices and the data center, more often than not the security aspect of that business critical investment gets watered down \u2013 at best.Unfortunately, this is not just an issue of corporate mindset \u2013 in many ways the security market is culpable. From rigid products and architecture, to inflexible payment models, the way in which security is presented to the market makes it far too difficult for the board to recognize \u2013 let alone invest in - a solution that supports both today and tomorrow\u2019s business strategy. In consequence, at best corners are cut and security postures weakened; at worse organizations simply carry on with their digital transformation plans in the hope that at some stage it might be possible to retro-fit security.An unpalatable choiceOrganizations need flexibility and agility to ensure security can grow in line with business requirements. What they are being offered, in contrast, is a set of rigid product offerings that will only work if the infrastructure is redesigned to fit.\u00a0 There is no scalability, no way to cost effectively and securely expand or upgrade the underpinning infrastructure, leaving organizations with an unpalatable choice: pay a premium for a future proofed solution today, despite the fact the capacity may not be required for several years, or accept the need to re-engineer the environment with every upgrade.This is completely unacceptable \u2013 and certainly gives the CISO no ammunition to combat a cost sensitive board wanting to water down security investment.What organizations need is security with built-in growth capability; the ability to handle evolving business objectives not just in the short term, but in the short, medium and long term. A \u2018pay as you grow\u2019 model based on a solution that is implemented once and can then expand to meet an organization\u2019s business requirements without re-engineering and without financial penalties.Decoupled from the infrastructureThe key to achieving this \u2018pay as you grow\u2019 approach is to move away from the traditional rigid security product model that is tied into the infrastructure.\u00a0 Security embedded into firewall, router or switch, not only lacks flexibility and product features, but organizations often incur serious performance penalties when encryption is switched on.\u00a0 The performance dip then prompts a demand from the infrastructure team for an upgrade sooner than originally anticipated \u2013 which then prompts additional security upheaval. And the unhealthy cycle continues. What was a five year investment has to be ripped out in two \u2013 and the CISO is facing another board level battle.In contrast, by embracing an overlay approach that decouples security from the connectivity infrastructure, it is simple to upgrade and evolve security at every stage \u2013 whether that is between data centers, between data centers and remote sites, even data centers and the cloud.\u00a0 Once in place, an organization can begin to enforce a security posture that reflects business requirements and accurate risk assessment \u2013 not the limitations of a rigidly defined security model.Furthermore, by decoupling security from infrastructure, organizations are able to adopt the zero-trust security model that is increasingly critical to today\u2019s business strategy. When organizations do not own the cloud infrastructure, or the public networks used by flexible and remote workers they have to assume zero trust: to achieve access, a user needs to both see an application and be permitted to use it. By taking this model and securing it using expandable and scalable Layer 4 based cryptographic segmentation, an organization can embrace zero trust irrespective of infrastructure, of data center locations, new cloud deployments, and \/ or the desire of workers to hang out in the local coffee shop.When trust is built on users and applications \u2013 rather than the infrastructure - organizations can embrace a far more elastic security posture that can be adapted rapidly into new environments. In addition, this decoupled model can \u2013 and should \u2013 be deployed across owned infrastructure, extending the zero-trust concept and moving all aspects of the security posture from networks and infrastructure towards applications and users.ConclusionThe CISO today is facing an unwinnable battle \u2013 security products are too rigid, costs are too high, risks are too great.\u00a0\u00a0 While there is no doubt that mindsets need to change, that organizations need to stop side lining security, the security industry must also make a fundamental change.Today\u2019s business models are too fluid to be constrained by infrastructure led security models \u2013 the result can only be financial, operational and risk compromise.\u00a0 Every time an organization moves an application or adds in remote users, the security posture breaks. Security thinking needs to change; organizations need to move away from the concept of owned and unowned networks or infrastructure and consider only users, applications and secure access \u2013 and the security industry must facilitate that shift.It is only by forgetting about the underlying infrastructure and focusing on the users, the applications and using pay-as-you-grow cryptographic segmentation to deliver scalable zero trust access, that organizations can achieve a far more flexible, affordable and effective security posture.