Has cyber security really advanced over the last 20 years? Despite increasing security budgets and growing security teams, the number of attacks and breaches continues to climb.
According to our recent cyber security readiness survey:
41% of respondents experienced a breach in the past year
29% fewer respondents felt prepared to defend against a cyber attack compared with the previous year
58% of respondents expect an increase in breaches over the next year
What are we doing wrong?
Complexity is at the root of our problems. In our survey, 86% of respondents agreed that complexity makes their organization more vulnerable to attacks. Until we can address this complexity crisis, we won’t be able to reverse the trend of rising attacks or make meaningful progress within our organizations.
IT environments have undoubtedly grown more complicated. The era in which IT teams provide technology resources exclusively from an on-premises data center, to employees working solely in a corporate office, is long gone. Today, we are using multiple cloud environments and SaaS applications as well as on-premises data centers to support a global hybrid workforce.
Security teams have added to this complexity by deploying numerous security tools, including some with overlapping capabilities. In fact, according to that recent readiness survey, 49% of organizations have more than 20 security tools. The number of tools is only growing: 82% of respondents have added more vendors and tools this year.
Many organizations have hired large security teams to manage all these tools. Over half of the respondents in our survey report having teams of more than 100 people.
However, from my own experience, I’ve learned that having a massive budget and team is never enough. In one of my previous roles as CISO, I managed a billion-dollar budget and a team of 1,500 people. We believed we could take on anything. Yet during strategic planning, the team had just two requests: more money and more staff.
The problem wasn’t the seemingly infinite amount of resources. It was the complexity.
Why is complexity a problem? When you struggle with complexity, you can’t solve your current security challenges. In the event of a breach, you can’t quickly determine what is happening or recover rapidly. Complexity also slows innovation. The more time and money you spend dealing with complexity, the less time and money you have for new projects, like implementing the use of AI.
One of the most pressing challenges for IT organizations is building resilience. Attacks and breaches will keep coming. We need to be ready to respond and recover fast.
Company leadership teams and boards demand resilience. Regulators see resilience as non-negotiable. If we don’t build resilience into our planning on our own, regulators will require us to do so, just as they have with financial services organizations.
But complexity makes resilience very challenging. First, it can be very difficult to maintain security in a complicated IT environment. Your team might have trouble keeping up with security updates and patches across all components, leaving gaps that attackers can exploit. Complexity also makes it difficult to test your resilience strategy before attacks occur.
When attacks happen, you won’t be able to respond or recover quickly. The more interconnected and dependent all of these system components and tools are, the harder it becomes to isolate threats and stop them from spreading. Once the attack is over, it might take days, weeks, or months to get all systems back up and running.
Without resilience, we can’t help our organization's progress. We can’t adequately enable and support the most important initiatives, in particular, those that center on AI.
As a CISO, I am often asked whether I'm optimistic or pessimistic about AI. My answer is that we have to be both. We need to be prepared for both the benefits and the risks. Even if the risks appear large, there is no going back. Very soon, there will really only be two kinds of companies: Those that got AI right and those that don’t exist anymore.
As security leaders, we must help our organizations advance with AI. But we can’t support this AI imperative if we’re stuck managing numerous tools. A business team might want to roll out a new LLM for customer support quickly. If that company’s security team needs days or weeks to get approvals and make firewall rule changes before that rollout, the company will lose its competitive advantage.
Meanwhile, we’re already seeing how AI will be used against us. We are seeing AI model breaches, data poisoning, and AI-enhanced phishing attacks. If we’re managing six WAFs and four SASE providers, it becomes impossible to tackle these emerging threats, much less support AI initiatives. I can attest to this firsthand, working at a company that managed six WAFs when I first joined.
We need to go all in on AI and focus on where the business is going. How do we move forward? We need to understand how to secure AI and how to redefine our target operating model. We also need to hire cyber security professionals with specialties in AI. And importantly, we need to simplify and consolidate so we can devote our time and resources to AI projects.
Many security teams have three- or five-year plans. In other words, in the near future, their organizations will be more secure. But attacks and breaches are escalating right now. Meanwhile, we need to start enabling our business for the AI future. We can’t delay in addressing complexity.
What should you do now to get started?
Consolidate tools: I was leading an organization where we had 52 security tools when I started. We managed to reduce that number to 17. It can be done. You can eliminate tools and actually make your organization more secure. One tool can be better than three if you have the right tool and allocate the resources to use it properly.
Talk to your peers to learn how they are solving the complexity problem. Ask them which tools they have chosen as they have consolidated.
Streamline processes: Consolidating tools will help to streamline processes. When you can remove tools and manual steps from a process, you can complete that process faster and leave less room for error.
Implement a modern security architecture: For many organizations, a connectivity cloud can help significantly reduce complexity. A connectivity cloud provides the any-to-any connectivity organizations need for integrating any cloud, data center, or network. At the same time, it consolidates multiple cloud-native security services in a single, unified platform. You can avoid time-consuming integrations, eliminate security gaps, and prevent team members from having to constantly switch among multiple interfaces.
If we can reduce complexity, we can gain visibility into what is flowing into and out of the network. We can improve resilience, so we can better recover from attacks. We can also focus more on moving forward with key initiatives, including the AI initiatives that are at the top of everyone’s priority list. Reducing complexity can be challenging, but focusing on complexity now will quickly pay dividends for strengthening security and enabling innovation.
The Cloudflare connectivity cloud helps organizations regain control and visibility over even the most complicated enterprise environments. It is a unified, intelligent platform of programmable cloud-native services that provides a single, simplified interface to facilitate vendor consolidation.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Learn more about how a connectivity cloud can help you address the crisis of complexity that is holding your organization back in the A way to take back IT and security control ebook.
Grant Bourzikas — @grantbourzikas
Chief Security Officer, Cloudflare
After reading this article you will be able to understand:
Why complexity is holding back organizations
How complexity affects resilience and impedes AI innovation
How you can start addressing complexity now