Lamont Orange, Netskope's Chief Information Security Officer (CISO), talks to Security magazine about how to foster a security-first culture with Security Access Service Edge (SASE) adoption.

Security: What is your background, current role, and responsibilities?

Lamont: I have more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as the senior manager for the security and technology services practice at Ernst & Young.

At Netskope, I am charged with providing Security Services that will protect our company and enable our business. My role, working with customers and partners within Netskope, also allows me to work closely with other security leaders, so I can fully understand their point of view and current challenges. Together we can demonstrate the modern approach to security.

Security: Why is maintaining optimal security efforts no longer just the sole responsibility of the company, but also that of its employees?

Lamont: Security is no longer confined to the four walls of an office building. Today's world is perimeter-less and revolves around the individual, regardless of where they are. Therefore, maintaining optimal security is no longer just the sole responsibility of the company, but also that of its employees.
 
As external and internal security threats are increasing, organizations must empower employees to take equal ownership over security and instill the concept that security belongs to everyone. This can be achieved by fostering a security-first culture where security needs are emphasized and maintained throughout the organization.
 
Security: How can companies foster a security-first culture? 

Lamont: Fostering a security-first culture must start with Zero Trust, enforcing the assumption that at all times, any user may be up to no good while ensuring data is always protected no matter where it needs to go.

Implementing such a security model means evaluating the company’s security capabilities and understanding which users require access to which resources. Security measures must prioritize protecting users and data, but also must adapt in real-time to keep pace with fast-changing requirements. This flexibility provides users with a security team the opportunity to lessen friction, and foster a smooth, productive work experience wherever they are, letting them access the data they need while using whatever tools necessary to remain successful at their jobs.

Security: Can you outline the benefits of SASE?

Lamont: The reasons for adopting a SASE model closely align with the benefits of cloud adoption. The cloud makes it possible for people and businesses to work more effectively, collaboratively, quickly, flexibly, and cost-efficiently - SASE makes that progress safe.

Implementing a SASE model will provide secure access regardless of where users, data, applications, or devices are located by unifying networking and security services in a cloud-delivered architecture to protect users, applications, and data everywhere. Given that users and applications are no longer on a corporate network, security measures can’t depend on conventional hardware appliances at the network edge. Instead, SASE promises to deliver the necessary networking and security as cloud-delivered services. Done properly, a SASE model eliminates perimeter-based appliances and legacy solutions. Instead of delivering the traffic to an appliance for security, users connect to the SASE cloud service to safely use applications and data with the consistent enforcement of security policy.

Security: What are some of the best practices for the adoption of this initiative?

Lamont:  When adopting SASE, organizations must evaluate their current security measures and determine exactly how they want them to grow. This means increasing awareness and visibility while placing core inspection points between users and apps.

By approaching SASE as a series of informed investments and implementations, each game-changing in its own right, organizations can deliver continuous, dramatic results as they steer themselves away from their parochial data center–centric worldview to one able to fully and securely reap the many benefits of the cloud.

At a minimum, organizations need thorough visibility into cloud user activity if they want to be confident in any new solution and to ensure an organization’s decision-makers are on board.

Whether it’s the result of shadow IT that has been knowingly ignored or a more deliberate process of business digitalization, old and outmoded security systems have been blind to these details.

By replacing old Secure Web Gateway (SWG) and similar appliances, organizations can finally have complete visibility into who’s using non-enterprise-grade applications and services and what enterprise data is being sent “out there” beyond their control.