SASE Week 2023 On-Demand! Explore sessions.

  • Security Service Edge Products

    Protect against advanced and cloud-enabled threats and safeguard data across all vectors.

  • Borderless SD-WAN

    Confidently provide secure, high-performance access to every remote user, device, site, and cloud.

The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Borderless SD-WAN: Ushering in the New Era of Borderless Enterprise

Netskope Borderless SD-WAN offers an architecture that converges zero trust principles and assured application performance to provide unprecedented secure, high-performance connectivity for every site, cloud, remote user, and IoT device.

Read the article
Borderless SD-WAN
  • NewEdge

    NewEdge is the world’s largest, highest-performing security private cloud.

  • Cloud Security Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

  • Technology Partners & Integrations

    Netskope partners with the strongest companies in enterprise technology.

Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn about Industry Solutions
Wind turbines along cliffside
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Unveiling the Under-reported Aspects of AI
Emily Wearmouth sits down with Neil Thacker, EMEA CISO, Yihua Liao, Head of Netskope AI Labs, and Suzanne Oliver, Director of IP Strategy at Scintilla, to discuss the topics in the realm of AI that they each wish people were discussing more.

Play the podcast
Unveiling the Under-reported Aspects of AI Social card
Latest Blogs

How Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Our Customers

    Netskope serves more than 2,000 customers worldwide including more than 25 of the Fortune 100

  • Customer Solutions

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Netskope Community

    Learn from other network, data, and security professionals.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

We help our customers to be Ready for Anything

See our Customers
Woman smiling with glasses looking out window
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
The Netskope Community can help you and your team get more value out of products and practices.

Go to the Netskope Community
The Netskope Community
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Highest in Execution. Furthest in Vision.

Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.

Get the report
Netskope recognized as a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge.
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling

The Economics of Network & Security Transformation – Part 3

Jul 28 2020

Co-authored by Neil Thacker and Nathan Smolenski

A framework and strategy review for managing network & security transformation is much needed.  Every CIO, CISO, and CTO today will be assessing their ongoing costs to run and operate a secure network and security programme for 2021 and beyond. In parts 1 & 2 of this three-part series, I explained what numbers should feed these calculations and measurements and how performance, flexibility, and scalability are all key to this transformation. We are now in a critical stage to decide what our networks and security programmes will look like in the near future…and we only have one chance to get it right.

Driving top-line growth while improving the bottom line with operational cost efficiencies

Ask a board what their ultimate goal for digital transformation is and it’s improving top-line growth whilst applying operational cost efficiencies to maintain a healthy bottom line. Transformation does come with new costs, but as project teams become more experienced with digital transformation, so come the economic efficiencies. 

This same approach applies to network and security transformation. We now have organisations that have followed the same design principles and have moved, or are moving, their security technologies and controls to the cloud. These skill sets are in high demand as more and more organisations realise the value of this transformation. This move also allows the organisation to simplify its budget projections and focus on expense management by reducing its unpredictable CAPEX expenditure and moving to a predictable OPEX subscription-based model that supports operational cost efficiencies.  More on this later. In summary, a win-win. Not only is this simpler to forecast, but as security becomes a services-based industry, it will support cost avoidance and will allow for additional consolidation opportunities.  

Gone are the days of routing traffic through the public internet and through a myriad of appliances all making attempts to inspect and decode traffic with the team needing to perform regular reviews for each appliance to assess ROI/TCO and asking the obvious question: “Do we still need this and is there a better option?” Today, all organisations have the opportunity to use cloud-based microservices when the needs arise without expensive design and architectural reviews. To think of this as an analogy, it’s similar to booking an international trip and using a dozen airlines and airports to get you to your destination.  Every flight connection requires another security check where you and your baggage needs to be scanned. Now consider paying a huge premium for this.  Given a choice, everyone will instead choose a cost-effective direct option with the same or better security applied on demand. This is what network and security transformation should be about, simple, fast, and secure without unnecessary delays.

Flexibility outside the bounds of IT

As we transform our networks and security and move our security controls to the cloud, we must assess how we think about forecasting and budgeting. Securing a user (I much prefer to refer to users as employees) in our environment is an expense typically assessed for each budgetary year. If we have 20,000 employees, it’s obvious that it’s going to be more expensive and require more resources than securing 2,000 employees. The issue with organisations is that they cannot accurately predict what their employee count will look like in the 3-5 years ahead. The challenge is mergers and acquisitions (M&A), a change agent that occurs for most organisations that will shake up any IT and security strategy.  With M&A, predicting onboarding costs usually involves thinking about new hardware or even replacement hardware to scale to the organisation’s new requirements. These types of challenges can take months to plan for and apply, and will typically slow an organisation down at a critical time.  However, as organisations embrace and use the cloud, we can systematically use the flexible benefits of the cloud to scale when necessary without compromise. Adding another 5,000 employees to a cloud-based Next Gen Secure Web Gateway (NG SWG) is as simple as updating the license. No new hardware, no shipping hardware to new locations, no racking and stacking, and procuring cabinet space.  This flexibility outside of the legacy bounds of IT should not be underestimated.

As we have now overcome some of the more difficult challenges of the past and simplified onboarding, we need to think about other opportunities to consolidate. I think we can all agree that the average organisation has acquired many technologies and solutions over the years that are ready for replacement in a cloud-first world. The first statement I hear from most CISOs when discussing security transformation is, “I need to consolidate.” Consolidation of technologies is not an easy task but it can be made easier by using concepts such as Secure Access Service Edge (SASE) to identify what key capabilities are required to support the organisation’s future ecosystem. A staple for most organisations’ future architecture is the focus on the following, ideally on as few platforms as possible with API integrations and a fast and performant global network to provide access to business applications and infrastructure.

  • Identity & Zero Trust Network Access (IAM & ZTNA)
  • Web & Cloud Security Cloud/Gateway (SWG & CASB)
  • Data Protection (Data Classification & DLP)
  • Threat Protection (Anti-Malware, Sandboxing, Browser Isolation)
  • Endpoint Protection (NG-AV, EDR)
  • Automation & Orchestration (SIEM & SOAR)

As we assess cost reduction and this new concept model, we must continue to ensure we see value, benefit, and overall risk reduction to our organisations whilst providing the best connectivity and flexibility to our workforce.  After all, a security budget should always be appropriate to the risk appetite of the organisation.

Business value, benefit, and risk reduction

As we look at value, benefits, and ultimately risk reduction opportunities and better control efficacy, it is often difficult to come to a realistic value at risk. There are various flavors of assessing such risk postures and there are certainly many debates around this topic. Bruce Schneier wrote a great article on this same topic for CSO back in September 2008 that has aged relatively well. As it pertains to the traditional approach of putting a dollar value on risk, he posits, “The classic methodology is called annualized loss expectancy (ALE), and it’s straightforward. Calculate the cost of a security incident in both tangibles, like time and money, and intangibles, like reputation and competitive advantage. Multiply that by the chance the incident will occur in a year. That tells you how much you should spend to mitigate the risk.” 

This “probability x impact” approach has been the method we have all tried to implement in one way, shape, or form to get some semblance of a financial indicator of the cost of the risks that we have identified and are attempting to manage. The problem, as Bruce also points out, is that the resulting data outputs from these calculations essentially work against us when talking to business leaders, and are clouded by the lack of good data we have as inputs. 

For example, If the calculated cost of a given risk is $40,000 annually and the total cost of ownership of the people, process, and technology intent on better managing or reducing that risk is $65,000 annually, imagine what the CFO is going to want to know. How accurate is our data on the factors that go into measuring impact (actual loss, reputation, etc.), and how accurate our data is for determining the actual probability? And, even if we all agree on those numbers, how the CFO interprets and chooses to ultimately enable you to invest can obviously be influenced by these, and many other factors. In speaking to many in the industry, as well as from our own experiences as practitioners, it is often the challenge of bridging the gap in understanding. If you do not understand your organization’s true risk tolerance levels and perspectives, you could really be fighting an uphill battle. 

When making considerations for risk management; it is critical to determine how effectively risks are managed. From a cybersecurity perspective, it is often that we will see organizations align policies and controls to standardized frameworks that are often audited by 3rd parties annually to determine maturity, alignment, and overall progress. Security teams then often are forced to reactively prioritize many of their efforts post-assessment to address the findings. 

From a risk management perspective, where an organization progresses in terms of risk then purely becomes an output of the efforts put forth to respond to the assessment findings. Value At Risk frameworks like FAIR (Factor Analysis of Information Risk) call this approach an Implicit Method of managing risk due to its reactive nature and lack of consistent feedback loop. The result is often less control of the risk management outcome from a loss exposure perspective as the probability and impact elements are not natively included in frameworks. A proactive risk management posture, in contrast, has a very explicit risk target that is constantly managed as a result of feedback and inputs into the risk management process. 

As we assess operational cost efficiencies, flexibility, cost reduction, business value, and better risk management as a practice, we aim to work within a model that continuously informs and supports proactive adjustments of our controls to address an ever-changing cost, business benefit and risk landscape.

author image
Neil Thacker
Neil Thacker is a veteran information security professional and a data protection and privacy expert well-versed in the European Union General Data Protection Regulation (EU GDPR).

Stay informed!

Subscribe for the latest from the Netskope Blog