Balancing Risk and Innovation: Security’s Mission Impossible?

As a security leader, how do you best enable the flywheel of innovation that drives the business while managing the risk that’s a byproduct of moving fast to modernize your IT enterprise architecture, adopt modern application design, deploy new apps, and ultimately, deliver more value to your customers?

The struggle to effectively balance risk and innovation is real—76% of respondents to the latest F5 State of Application Strategy survey said they’d turn off security measures for gains in performance (many would even do so for relatively small improvements!). Tradeoffs like this can leave you vulnerable, and “good-enough” security point solutions will erode customer trust and your reputation when things go bad. We’re seeing the challenge of deploying security that’s both highly effective and easy to use in companies across all industries—from financial services, where open banking and the use of third-party APIs can make protecting apps more complex, to government, where agencies, prompted by the executive order on cybersecurity issued by the White House or the NIS2 legislation in the EU, need to take serious steps toward bolstering their cybersecurity.

Responding to evolving customer needs

The traditional security perimeter is long dead. The evolution of application architectures to a more distributed model combined with the increased adoption of SaaS solutions (93% of organizations use some type of cloud-based as-a-Service offering) and edge deployments means that security must be ubiquitous. Add in the imperative to move ever faster in support of prolific product innovation—a response to the spike in remote work, and greater demand for services like telemedicine and online banking, to name a few—and it’s clear that the role of the security organization in the business has fundamentally changed.

Today, security must fulfill multiple roles: as an enabler of digital transformation, a steward of customer trust, and a bulwark of organizational reputation. And it’s your responsibility to ensure that everyone in the company understands the security organization’s central role in business success. Shifting the perception of security from a feature to a mindset is a cultural change that requires time and effort.

So how do you get there?

Make security accessible and unified  

Instilling that cultural change throughout the organization means that everyone needs to adopt a security-first mindset. You can accelerate this shift by making security solutions easier to deploy regardless of environment, application architecture, or staffing resources.

Unifying application security policy declaration and enforcement across on-prem, public cloud, and edge environments helps make security consistent for both legacy and modern applications, and reduces the time your teams spend remediating issues. By strengthening protection from the data center to the end user, you can ensure that customers enjoy a frictionless, safe digital experience every time.

And you don’t have to do it alone. Or be a born-in-the-cloud company with a large security team. Take the Scottish Government’s Agriculture and Rural Economy Directorate (ARE) for example. They have successfully responded to security and digital transformation challenges by opting for a managed service that enables multi-layer security across environments.

Meet developers where they are

Security can no longer be an afterthought in the development process. Just as DevOps teams partner with their product colleagues to streamline and accelerate development and deployment, SecOps can help take the toil out of building security into the application by engaging with developer teams to define and build declarative app security policies, integrate security into their preferred CI/CD toolchains, and ensure everyone can harness telemetry to fine-tune and protect the application.

By empowering app builders with easy-to-use dashboards, guardrails, and tooling, you can reduce the desire to circumvent security practices while also helping developers solve their problems and moving the business forward. Companies like Audi are doing this today in their modern, microservices-based environments to spur innovation while ensuring that security is baked into the platform.

Challenge your vendors for more

In addition to these internal recommendations, security leaders must also look outward and ask vendors the tough questions:

• Is your vendor a thought leader with regard to security—not just helping customers solve their problems today but actively anticipating what’s coming next?
• Is their product (or better yet platform) API-first? You’ll want that to be the case for management orchestration, in-line enforcement, and easier security posture improvement of the exploding number of APIs you’re using to deliver services to your customers (contributing to the projected two billion active APIs in the world by 2030).
• If you are among the 87% of organizations operating both legacy and modern apps and 77% running apps in multiple clouds, do your vendor's solutions work across different architectures wherever your apps are deployed?
• Are they invested in integrating with major toolchains and data analysis platforms? This is fundamental because 98% of organizations acknowledge they don’t have the insights they need now to address business objectives and improve the customer experience.
• Are they exploring how automation, machine learning, and AI can be used to make your security faster, more effective, and proactive—with few resources?
• Can they enable you to increase security of applications and APIs at every point in the threat assessment and mitigation process?

Ask for the capabilities you need to protect customers and help the business deliver seamless, satisfying experiences while dealing with a scarcity of resources and talent—and if your current vendor can’t meet your requirements, consider looking elsewhere.

What’s next?

As security takes a more central role in the boardroom, you have an opportunity to champion best practices in areas such as IT modernization, cloud migration, application and network security, and zero-trust access. By mitigating the risk that comes with innovation, you can enable the business to move forward in its digital transformation without sacrificing customer trust.

Start helping teams across your organization develop a security-first mindset now. Partner with other functional groups—including product and customer experience teams—to deliver the capabilities they need. And adopt platform solutions that are simple to implement and operate, require less human intervention, integrate with ecosystem partners, and adapt to address new threats and vulnerabilities.

Successfully securing a digital business requires managing a spectrum of risks while not neglecting other real-world objectives. That means balancing acceptable performance, customer experience, and cost with acceptable protection and security compliance. By making security solutions more accessible, empowering developers with easy-to-use tools, and challenging your vendors for more, you can keep the business safe while helping deliver the inspiring customer experiences that spark and fuel growth.