IT security is a matter of reputation—and survival

Friday, July 02, 2021
By Garrett Ilg

It might surprise you to learn that in my regular conversations with executives across the Asia Pacific region, one of their biggest concerns is information security. It has become a top C-suite priority, not just an IT one, as reports of security breaches continue to grab the headlines.

Executives not only worry about their companies’ most proprietary and sensitive data falling into the hands of hackers, but they’re also apprehensive about lasting damage to the integrity of their brands. Small and midsize businesses tend to fare even worse than large enterprises in that respect. The founder of one security awareness training firm estimates that as many as 60% of SMBs fail within 6 to 12 months of disclosing a major breach.

If your company’s most important data remains on-premises rather than in the cloud, you don’t stand much of a chance, at least in the long run, of keeping up with the well-financed profiteers and nation states that are after your crown jewels. That is, unless you have a phalanx of security experts and barrels of money to throw at the problem. Here’s why.

The average company has literally hundreds of different configurations of operating systems, databases, applications, and other systems to manage in its data centers. This setup makes it virtually impossible for its IT teams to patch those systems in a timely manner every time a security researcher reveals a vulnerability or a vendor issues a fix.

What I explain to our customers is that they’re better off replacing their highly complex security environments with more uniform, sophisticated, cloud-native ones, managed offsite by security experts. At Oracle, we use a common software stack throughout our cloud data centers, so our patching job is that much easier. Then we encrypt all of the data in our cloud, whereas only about 10% of our customers do that on their own premises.

And now, with our cloud-based Oracle Autonomous Database and Gen 2 Oracle Cloud Infrastructure, we’re further reducing the possibility of successful attacks. These autonomous systems use machine learning algorithms to continuously patch, tune, back up, and upgrade themselves without the need for human labor—and thus the potential for human error—all while continuing to run without interruption. Compare that innovative approach to the security models of some other cloud providers, whose “shared responsibility” support policies put much of the onus of configuring access to their subscription services on their customers’ developers and systems administrators.

The second-generation OCI not only protects the perimeters of customers’ cloud-based servers, but it also isolates the servers from one another and from Oracle’s own control code. That isolation is designed to prevent an attacker, in the extremely unlikely case one does get in, from moving laterally inside the cloud to steal or manipulate data.

Safer in the cloud

The good news is that companies are finally recognizing the inherent security advantages of cloud computing.

In our 2020 Oracle and KPMG Cloud Threat report (PDF), based on a survey of 750 cybersecurity and IT professionals worldwide, 75% of respondents said they think public clouds are either “much more secure” (40%) or “somewhat more secure” (35%) than on-premises environments, compared with 62% in 2018. That’s a big change in just two years.

Yet about 80% of the respondents to that survey estimated that their companies and organizations were running between 75 and 250 “discrete cybersecurity products”— and 6% estimated running more than 250. Clearly, much work still needs to be done to reduce the complexity.

The conventional approach to information security—manual processes, hundreds of vendors with their thousands of point solutions—isn’t working. If your company really wants to avoid making the headlines for the wrong reasons, consider the cloud alternatives.