According to a study by Akamai Technologies, 87% of digital-native businesses (which seems to be a term specific to Asia/Pacific) now prioritize security over cost and scalability when selecting a cloud provider. While this study focused on Asia, we see similar buying patterns here in the United States. This “security-first” approach reflects a broader shift in how businesses operate amidst accelerated technology adoption.
As businesses integrate cloud computing, they grapple with escalating complexity and cyberthreats. To remain agile and competitive, they embrace cloud-native design principles, an operational model that allows for independence and scalability through microservices and extensive API usage. However, this does not come without its challenges.
How security became king
The shift in prioritizing cloud security over cost and scalability is a significant trend driven by several factors:
Rising cyberthreats are both a perception and a reality. As businesses increasingly rely on cloud services, they face more sophisticated cyberthreats. High-profile data breaches and cyberattacks have heightened awareness and made security a top priority.
Complex cloud environments mean that adopting cloud-native designs introduces layers of complexity. Ensuring security across distributed components (microservices and APIs) becomes crucial, as misconfigurations or vulnerabilities can lead to significant risks. I’ve been screaming about this for years, along with others. Although we accept complexity as a means to an end in terms of IT, it needs to be managed in light of its impact on security.
Compliance and regulatory pressures mean that many industries face strict regulations regarding data protection and privacy (e.g., GDPR, CCPA). Ensuring compliance requires robust security measures to protect sensitive information in the cloud. Many enterprises are moving to sovereign or local clouds that are local to the laws and regulations they adhere to. Companies view this as reducing risk; even if those clouds are more expensive, the risk reduction is worth it.
Business reputation and trust are always vulnerable; companies recognize that a security breach can instantly damage both. Indeed, you’ll get yourself on the morning news and watch your stock drop by 50%. By prioritizing security, businesses aim to safeguard their reputation and customer relationships.
Long-term cost implications mean that focusing initially on cost and scalability might seem feasible, but the long-term financial impact of security incidents can be severe. Most people in the cybersecurity space understand that risk equals money. The more risk, the less your systems are worth, considering the potential for a breach. Prioritizing security can prevent costly breaches and downtime.
Innovation and agility mean that to remain competitive, businesses need to innovate rapidly. A secure cloud infrastructure enables this by providing a reliable foundation for building and deploying new services without compromising data integrity or security.
This landscape is driving businesses to adopt a “security-first” mindset. Although this can be a platitude, we must recognize that other benefits of cloud computing—cost savings and scalability—can be undermined without good security planning and mechanisms. This shift mirrors a broader global movement toward valuing resilience and reliability alongside traditional operational metrics.
How to lower security costs
Balancing cloud costs with security involves strategic approaches to optimize resources while safeguarding systems and data. This directly correlates with the price of the cloud versus the value of security, and they are not often that easy to connect. Many assume that the more security you’ll need, the higher the cost of the cloud services. The study mentioned at the beginning of this article assumes that more security is always more costly. I have not found that to be the case. Indeed, in many instances, the exact opposite is true.
Here are a few words of advice to help you find value in security and move away from the accepted mentality that more security always means more money.
Build security into the architecture from the start to avoid expensive fixes later. This seems obvious but it’s often not done. Security is an afterthought about half the time, and companies then are forced to toss money at the problem.
Automate compliance and management to reduce manual efforts and costs. Automation means repeating good processes without depending on humans; security is no different.
Use strong access controls to ensure only authorized users access critical data. Identity management is the most used approach here, and for good reason.
Regularly audit cloud usage to eliminate wasteful spending and optimize resource allocation. Also, train teams to efficiently manage cloud resources and security.
This is not that hard when you get down to it. What’s concerning is that enterprises truly believe they have to spend a great deal of money to reach an appropriate security level. Nothing can be further from the truth.