With the advent of remote work, companies – including those in legacy industries – have been forced to adopt SaaS (software as a service) and cloud tools to stay competitive and agile. Modern, cloud-based platforms like Zoom, Slack, Salesforce have become critical to enable knowledge workers to collaborate efficiently from their homes. As beneficiaries of this tailwind, public cloud hosting providers like AWS, Microsoft Azure and Google Cloud have seen phenomenal success. According to Gartner, the spend on cloud providers is forecasted to increase to $178 billion in 2022 from $141 billion in 2021.
But while public cloud providers have made it easy to use modern software tools, the shift to the cloud has led to big cybersecurity challenges. Cybersecurity for the cloud-first world is a paradigm shift from traditional, on-premise security. In the previous situation, customers hosted their applications in their own data centres and had full control of their environments and security. Customers operated in a “walled castle” – where the network and applications were secured and controlled by them.
However, when customers adopt public cloud providers, security is a shared responsibility model between them and the cloud providers. For example, if a customer stores data in the AWS data centre, the customer has to configure and manage their own security policies. Despite not having full control of data in the AWS data centre, security breaches are still the customer’s responsibility. In this regard, customers adopting public clouds are no longer in full control of their own security. Security concerns are often one of the top barriers to cloud adoption.
Moreover, cloud environments are more complex to secure. Modern cloud customers often employ an architecture called microservices, in which each component of an application (e.g. search bar, recommendation page, billing page) is built independently of each other. There could be up to 10x more workloads (e.g. virtual machines, servers, containers) and microservices in the cloud than on-premise. This increased fragmentation and complexity leads to access control issues and increases the probability of errors – for example, if a developer leaves a sensitive password in an AWS database that can be exposed to the outside world. Simply put, the attack surface area is larger and more complex in the cloud.
Outside of product complexities, the shift to the cloud has led to an inversion from a top-down to a bottom-up sales pattern, where security buying decisions are made by developers, not CISOs (Chief Information and Security Officers).
This has occurred for two reasons. First, cloud has enabled increased application development velocity and as a result, security is moving from an afterthought to becoming a critical component of developer workflows. Traditionally, developers were responsible for writing code and product releases, and the CISO’s team was responsible for security. There was a clear bifurcation in responsibilities. Today however, developers at modern companies ship new code and product releases every day or every week because cloud has made it much easier to do so. We are now used to our favorite apps (e.g. Netflix, Amazon, Uber) updating themselves frequently for new updates, but this was not the norm in the old days. With the increased frequency of deploying new code, cybersecurity has become a problem that developers now have to care about, because of the increased frequency of application development.
Second, the early adopters and power users of cloud are modern start-ups and mid-market customers, where buying decisions are more decentralized. Traditionally, security decisions at large enterprises were made by CISOs. Such sales processes involved lengthy proof of concepts and negotiations, and the CISO made the buying decision for the rest of the organization. Start-ups and mid-market customers, meanwhile, often give their developer teams the autonomy to make security buying decisions directly. For example, in one of the customer councils I attended, a CISO at a fast-growing fintech start-up admitted that his developers had full autonomy to choose which security products to buy.
This new bottoms-up sales model fundamentally disrupts how security software gets built and sold. Selling to developers is a different model than selling to the CISO. Developers prefer self-serve features – they often like to try and experiment with products before buying them. This requires a product-led sales model – building self-serve and freemium capabilities and attracting a large inbound, top-of-funnel of free users. This new sales model is completely different to the how traditional security incumbents operate, which rely on a sales-led model – hiring big sales teams who sell large deals to CISOs in an outbound fashion.