Instead of pursuing commercial off-the-shelf software, companies are leaning on cloud-based software as a service, simultaneously replacing on-premise data centers with the cloud.
Chief information security officers have taken notice and have their reservations.
"With our risk appetite, we've been slow to move to the cloud," said Bruce Pawelczyk, director of IT security, governance, risk and compliance and CISO at Raytheon Integrated Defense Systems, while speaking at a Forrester event in National Harbor, Maryland last week.
CISOs often believe on-premise technology is slightly more secure than the cloud, according to Pawelczyk.
Security concerns extend to the software market too.
With SaaS, security leaders focus on where vendor security and proprietary security capabilities meet, according to a McKinsey & Company survey of CISOs and security professionals from more than 60 companies.
There is also a resounding "frustration" with the limited scope of vendor cybersecurity offerings.
CISOs lament vendor shortcomings, including:
A lack of a customer-centric security
Hard-to-understand product security capabilities
Difficult integration with their company's enterprise-security environment
Complicated configurations that ensure compliance
"Companies do not always feel comfortable with the indirect relationship to cybersecurity risk that SaaS presents, mediated as it is through vendor-based protections," according to the report.
CISOs press most for encryption and key management, identity and access management, security monitoring, and incident response.
What CISOs need from SaaS vendors
Cloud environments elicit concerns in CISOs because they have to relinquish a degree of control and visibility to the vendor. And depending on the data a company possesses, that control is harder to let go.
Raytheon is migrating to the cloud with an air of paranoia and steering clear of the public cloud.
The defense contractor started migrating business applications using the private government-designated Microsoft Azure cloud, said Pawelczyk. It's now about halfway through migrating to Microsoft Office 365.
Even CISOs that don't worry about storing government secrets are wary of cloud-based risk. While marketing and email platform Mailchimp uses AWS to some degree, the company has not decided whether it will fully commit to the cloud, according to Olivia Rose, CISO of Mailchimp, while speaking at the event.
Mailchimp is responsible for delivering billions of emails monthly for its customers and safeguarding the data attached to each customer.
The company operates several databases across the U.S. with 24/7 physical security, including biometric scanners and "the usual high tech stuff that data centers always brag about," according to the company.
Safety of on-prem
Even with security reservations and the safety cocoon of on-premise data centers, the cloud is the future — where a secure perimeter is no longer guaranteed.
Clinging onto some resemblance of a perimeter, most large enterprises will maintain a hybrid environment, according to Pawelczyk. The cloud is really there to appease calls for flexibility and scale.
The overall cloud "drum beat" is dictated by corporate IT security, said Pawelczyk. "But different groups, including customers, are pushing us to the cloud."
In contrast, Mailchimp's IT organization makes the decisions around networking, security and infrastructure design, according to Rose. But the final cloud decision is determined by leadership across business lines after deciding which environments are best suited for the cloud.
Even with computing power and scalability feeding the adoption of SaaS and cloud solutions, security can often "disqualify providers from consideration," according to the McKinsey report.
CISOs reported that unease about security provisions or the cost of compensating security controls with SaaS applications relegates them to on-premise solutions.
One of the companies surveyed by McKinsey said it reverted to an existing application version after its vendor "failed to meet commitments to make the APIs mature" for identity and access management.