Features

Russell Thipha, Intellehub

Enterprise cybersecurity has a habit of showing up late, after the architecture is locked in, the delivery date is set and the organisation has already decided what it is willing to tolerate. That pattern was never ideal, but it was workable when systems moved slowly and any changes were contained. Cloud, automation and AI have shortened decision cycles to the point where risk now appears while systems are being designed, not once they are already live. That is largely because enterprises are under pressure to ship new services. “The number-one priority is speed,” says Tom Soderstrom, executive in residence and enterprise strategist at AWS. “Speed to market, speed to profitability, speed to compliance, speed to training and new skills.” This obsession with release cadence shows in how teams are funded, how delivery is measured and how little tolerance there is for work that does not translate into value for the business. The problem is that cyber decisions are being made in that environment, whether security teams are brought on board at the outset or not. “If you’re on the leading edge, you lead. If you’re on the bleeding edge, you bleed,” he says.

Treating security as something that can be reviewed later no longer fits in with how enterprise systems are designed and delivered. “If it’s not secure, it just doesn’t go anywhere,” says Soderstrom, adding that security as an afterthought will become an obstacle. Where enterprises make progress, he says, is not by asking how to improve security, but by starting with the outcome the business is aiming to deliver. This means that security can’t be viewed in isolation. Products need to be brought to market faster without increasing risk, regulatory requirements need to be met without slowing delivery, and AI needs to be used in ways that do not erode customer or regulator trust.