Netskope named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge. Get the report

close
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Still Highest in Execution.
Still Furthest in Vision.

Learn why 2024 Gartner® Magic Quadrant™ named Netskope a Leader for Security Service Edge the third consecutive year.

Get the report
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

The Intersection of Zero Trust and National Security
On the latest episode of Security Visionaries, co-hosts Max Havey and Emily Wearmouth sit down for a conversation with guest Chase Cunningham (AKA Dr. Zero Trust) about zero trust and national security.

Play the podcast
The Intersection of Zero Trust and National Security
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

The Economics of Network & Security Transformation – Part 3

Jul 28 2020

Co-authored by Neil Thacker and Nathan Smolenski

A framework and strategy review for managing network & security transformation is much needed.  Every CIO, CISO, and CTO today will be assessing their ongoing costs to run and operate a secure network and security programme for 2021 and beyond. In parts 1 & 2 of this three-part series, I explained what numbers should feed these calculations and measurements and how performance, flexibility, and scalability are all key to this transformation. We are now in a critical stage to decide what our networks and security programmes will look like in the near future…and we only have one chance to get it right.

Driving top-line growth while improving the bottom line with operational cost efficiencies

Ask a board what their ultimate goal for digital transformation is and it’s improving top-line growth whilst applying operational cost efficiencies to maintain a healthy bottom line. Transformation does come with new costs, but as project teams become more experienced with digital transformation, so come the economic efficiencies. 

This same approach applies to network and security transformation. We now have organisations that have followed the same design principles and have moved, or are moving, their security technologies and controls to the cloud. These skill sets are in high demand as more and more organisations realise the value of this transformation. This move also allows the organisation to simplify its budget projections and focus on expense management by reducing its unpredictable CAPEX expenditure and moving to a predictable OPEX subscription-based model that supports operational cost efficiencies.  More on this later. In summary, a win-win. Not only is this simpler to forecast, but as security becomes a services-based industry, it will support cost avoidance and will allow for additional consolidation opportunities.  

Gone are the days of routing traffic through the public internet and through a myriad of appliances all making attempts to inspect and decode traffic with the team needing to perform regular reviews for each appliance to assess ROI/TCO and asking the obvious question: “Do we still need this and is there a better option?” Today, all organisations have the opportunity to use cloud-based microservices when the needs arise without expensive design and architectural reviews. To think of this as an analogy, it’s similar to booking an international trip and using a dozen airlines and airports to get you to your destination.  Every flight connection requires another security check where you and your baggage needs to be scanned. Now consider paying a huge premium for this.  Given a choice, everyone will instead choose a cost-effective direct option with the same or better security applied on demand. This is what network and security transformation should be about, simple, fast, and secure without unnecessary delays.

Flexibility outside the bounds of IT

As we transform our networks and security and move our security controls to the cloud, we must assess how we think about forecasting and budgeting. Securing a user (I much prefer to refer to users as employees) in our environment is an expense typically assessed for each budgetary year. If we have 20,000 employees, it’s obvious that it’s going to be more expensive and require more resources than securing 2,000 employees. The issue with organisations is that they cannot accurately predict what their employee count will look like in the 3-5 years ahead. The challenge is mergers and acquisitions (M&A), a change agent that occurs for most organisations that will shake up any IT and security strategy.  With M&A, predicting onboarding costs usually involves thinking about new hardware or even replacement hardware to scale to the organisation’s new requirements. These types of challenges can take months to plan for and apply, and will typically slow an organisation down at a critical time.  However, as organisations embrace and use the cloud, we can systematically use the flexible benefits of the cloud to scale when necessary without compromise. Adding another 5,000 employees to a cloud-based Next Gen Secure Web Gateway (NG SWG) is as simple as updating the license. No new hardware, no shipping hardware to new locations, no racking and stacking, and procuring cabinet space.  This flexibility outside of the legacy bounds of IT should not be underestimated.

As we have now overcome some of the more difficult challenges of the past and simplified onboarding, we need to think about other opportunities to consolidate. I think we can all agree that the average organisation has acquired many technologies and solutions over the years that are ready for replacement in a cloud-first world. The first statement I hear from most CISOs when discussing security transformation is, “I need to consolidate.” Consolidation of technologies is not an easy task but it can be made easier by using concepts such as Secure Access Service Edge (SASE) to identify what key capabilities are required to support the organisation’s future ecosystem. A staple for most organisations’ future architecture is the focus on the following, ideally on as few platforms as possible with API integrations and a fast and performant global network to provide access to business applications and infrastructure.

  • Identity & Zero Trust Network Access (IAM & ZTNA)
  • Web & Cloud Security Cloud/Gateway (SWG & CASB)
  • Data Protection (Data Classification & DLP)
  • Threat Protection (Anti-Malware, Sandboxing, Browser Isolation)
  • Endpoint Protection (NG-AV, EDR)
  • Automation & Orchestration (SIEM & SOAR)

As we assess cost reduction and this new concept model, we must continue to ensure we see value, benefit, and overall risk reduction to our organisations whilst providing the best connectivity and flexibility to our workforce.  After all, a security budget should always be appropriate to the risk appetite of the organisation.

Business value, benefit, and risk reduction

As we look at value, benefits, and ultimately risk reduction opportunities and better control efficacy, it is often difficult to come to a realistic value at risk. There are various flavors of assessing such risk postures and there are certainly many debates around this topic. Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged relatively well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles, like time and money, and intangibles, like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leaders, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.), and how accurate our data is for determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from our own experiences as practitioners, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels and perspectives, you could really be fighting an uphill battle. 

When making considerations for risk management; it is critical to determine how effectively risks are managed. From a cybersecurity perspective, it is often that we will see organizations align policies and controls to standardized frameworks that are often audited by 3rd parties annually to determine maturity, alignment, and overall progress. Security teams then often are forced to reactively prioritize many of their efforts post-assessment to address the findings. 

From a risk management perspective, where an organization progresses in terms of risk then purely becomes an output of the efforts put forth to respond to the assessment findings. Value At Risk frameworks like FAIR (Factor Analysis of Information Risk) call this approach an Implicit Method of managing risk due to its reactive nature and lack of consistent feedback loop. The result is often less control of the risk management outcome from a loss exposure perspective as the probability and impact elements are not natively included in frameworks. A proactive risk management posture, in contrast, has a very explicit risk target that is constantly managed as a result of feedback and inputs into the risk management process. 

As we assess operational cost efficiencies, flexibility, cost reduction, business value, and better risk management as a practice, we aim to work within a model that continuously informs and supports proactive adjustments of our controls to address an ever-changing cost, business benefit and risk landscape.

author image
Neil Thacker
Neil Thacker is a veteran information security professional and a data protection and privacy expert well-versed in the European Union General Data Protection Regulation (EU GDPR).

Stay informed!

Subscribe for the latest from the Netskope Blog