As more enterprises move to hybrid cloud environments, hybrid cloud security has become imperative to business growth. According to a 2021 study by the IBM Institute for Business Value (IBV), 80% of executives expected their organizations to operate more than 10 distinct clouds by 2023, up from eight in 2020. “The scale of most enterprise hybrid cloud deployments is so vast and penetrates so deeply that the need for an all-in security culture is absolute,” says Shue-Jane Thompson, managing partner at IBM Consulting. “And it should emphasize the business case for security.”

Security is fast becoming a conversation about empowerment versus just protection. The IBV study “Prosper in the cyber economy” found that 66% of business executives view cybersecurity primarily as a revenue enabler. This requires shifting from a defensive strategy, built on detection and response, to a mature security posture that emphasizes operational efficiency, financial performance and competitiveness. Instead of thinking about security as a traditional expenditure for your organization, approach it as something that can become a value proposition for partners and end customers.

Thompson points to companies that leverage security as a revenue source by charging a premium for highly secured services or products. “More and more, security is becoming a standalone procurement,” she says. “Customers are buying security as a program. They believe security is not just bought as a small portion of the system or the application they are building. They believe security must be managed and controlled across the total asset.”

Moving from a defensive stance to an offensive strategy starts with understanding trends in the security landscape. A wider adoption of hybrid cloud naturally presents important concerns due to the vast web of interconnectivity between public and private cloud platforms. Many cloud-based environments rely on Linux for their operations, and in 2022, IBM Security X-Force reported dramatic increases in Linux malware. Threat actors are also blending malware with legitimate traffic on cloud-based messaging and storage platforms and targeting Docker containers, which are often used in platform-as-a-service cloud solutions.

“The biggest challenge for security is the complexity, the scale and the velocity at which it needs to operate. Organizations need a heterogeneous security policy that they can also bring down to market level,” Thompson says. International organizations, for example, need security strategies that can satisfy the regulations of every country in which they operate, meet specific customer demands and stay ahead of business-specific threats, whether from broad DoS attacks or sophisticated, targeted phishing. The proliferation of hybrid cloud environments means organizations now have a larger attack surface. Cybercrime will continue to rise, and attacks on these environments are costly and tough to detect. According to IBM’s “Cost of a data breach 2022” report, it takes an average of 252 days for an organization to identify and contain a breach that occurred in a hybrid cloud environment, and the average cost is USD 3.8 million compared to USD 4.24 million for private cloud breaches and USD 5.02 million for breaches in public clouds.

Adding more controls or point solutions is not enough for organizations that want to tap the business benefits of a “security first” mindset. Organizations need orchestration, continuous threat management and resiliency. Two primary enablers: educated employees and sophisticated security solutions. Per data from a 2022 Verizon report, as many as 8 in 10 security breaches are caused by human error. As Thompson says, “How will you be able to help humans make better decisions? That’s where the transformation in culture becomes important.” Here’s what these transformations can look like in organizations that want to embrace a security-first mindset as a business differentiator.

The human factor: from passive participation to personal accountability

Individual accountability and proactive security enhancements at every level are crucial in hybrid cloud environments, especially as ransomware spikes, with an attack occurring every 11 seconds. As organizations integrate cybersecurity strategies into business objectives, Thompson says every individual must see themself as being on the front lines of upholding stronger security practices, whether that means raising community awareness or training colleagues.

A more mature security posture also requires a more robust cyber workforce. The threat landscape is more drastic than ever, with cyberattacks targeting everything from customer data to power grids.  According to IBM Security’s X-Force Threat Intelligence Index 2023, there was an 100% increase in hijacking attempts per month in 2022 compared to 2021. Yet, the demand for cybersecurity professionals outpaces what the labor market can fulfill. According to this Cybersecurity Workforce Study, there is a global cybersecurity workforce gap of 3.4 million people. To help prepare more workers for those vital roles, organizations need to invest in cybersecurity upskilling and AI and automation tools.

IBM, for example, is training more than 150,000 people in cybersecurity skills over the next three years through a range of programs, such as SkillsBuild. Meanwhile, AI, machine learning and automation can process huge amounts of complex security data to predict or detect threats. “Organizations spend a large number of resources trying to deal with compliance issues,” Thompson says. “Chasing after compliance regulations and spending all your energy to check off boxes is not the best way to use your cyber talent.” AI automation tools can facilitate more efficient evaluation and review procedures, perform sensitive data discoveries and support monitoring. “If organizations invest in smart automation, they can then move resources and assets to invest in more proactive defensive mechanisms,” Thompson says.

The tech factor: from vertical silos to horizontal integration

On the technology side, the goal is “having a single pane of glass across the hybrid cloud environment,” Thompson says. “You need total transparency on how your assets, workflows, data flows and users—plus partners in your ecosystem—are functioning.”

Smart and networked devices are becoming ubiquitous, yet existing security models are often designed only to protect the endpoint and the data center with technologies like firewalls. That “walled garden” security model must change to one that orchestrates security technology throughout the business (and ideally, through to ecosystem partners) to ensure protection across all devices and touchpoints. Finally, your technology should detect and contain attacks with effective organization-wide incident responses.

This unified approach creates “a fabric of protection” that envelops the organization, Thompson says, and becomes a value proposition. That level of coordination will be even more vital for certain industries. For example, a growing portion of the USD 1 trillion hybrid cloud market opportunity comprises the financial markets industry, which has strict data ownership and handling requirements built around security and regulation compliance.

The emerging security challenges are considerable, and data security is an ongoing battle. But the solutions are attainable, and the company’s bottom line is the first beneficiary. “Security is a team sport,” Thompson says, “and we’re all on that team.”