Most CIOs today must manage an uncomfortable set of tradeoffs. They are being asked to simultaneously cut costs and invest in AI, while not compromising security. This is no easy feat.

Across industries, even before budgets were cut, IT environments were already under pressure. The cost and complexity of delivering and securing the organization’s data across a variety of internally developed cloud solutions, off-the-shelf SaaS solutions, legacy on-premises solutions—and year-over-year increases in costs to deliver it all—were pushing the boundaries. And the data from these solutions often ends up persisting on endpoints, which makes them a prime target for attackers looking to steal data and move laterally across the organization.

None of this happened overnight. As business evolved and demanded faster innovation and agility, IT teams did their best with the solutions at hand, struggling to secure the data on a complex and often distributed endpoint architecture.

Why the old model is breaking down

For more than three decades, organizations have explored different access models which have included full featured laptops; mobile form factors like iPads; and in smaller quantities, thin clients accessing applications delivered through web, SaaS, DaaS, and client/server. And quite often, a mix of all of them.

Cloud and SaaS were supposed to fix this. But in many cases, it simply shifted capital expense to operational expense, while fragmentation, fragility, and complexity grew alongside the new security technologies that were required. As a result, security costs have run rampant, with some estimates suggesting a comprehensive security stack costs up to 50% of the cost of the endpoint device. While the net result was improved application access across a diverse of choice of endpoints, we were left with an endpoint approach that still requires device-centric controls to ensure the security of enterprise data allowed to exist locally on the endpoint. The pressure this creates is no longer theoretical. Boards are asking harder questions about cost control and resilience. CFOs are scrutinizing cloud spend. Regulators are raising expectations around business continuity and access control.

The common thread to all of this is the data that powers the organization. It’s what employees create and need to do their work. It’s the prize that attackers want to steal or hold ransom. It’s why organizations go to the extent that they do to secure it.

It’s worth taking the time to regularly question architectural assumptions of how we efficiently manage access and the controls around it— not in the sense of restriction, but in the sense of alignment between cost, risk, and business value.

Centralized versus distributed

In past architectural decisions, debate centered on shifting toward a centralized desktop computing model, such as VDI or DaaS, or a distributed computing model of managed laptops and desktops. Centralized desktop access models have always existed for good reasons: control, consistency, resilience, and risk reduction. Distributed desktop access models exist for equally valid reasons: flexibility, local performance, and user autonomy. Most enterprises today operate somewhere with a blend of centralized platforms, cloud services, SaaS, local execution, and edge access.

The issue is that these models have been layered on top of one another over time, and when the business eventually steps back to reassess it all, the primary point of assessment is often cost. What business should also revisit as part of this process is why the data lives where it does, and how access should really be delivered and governed.

The core of the problem is where the data lives

A decision most enterprises haven’t revisited in years is whether there are new ways of solving the problems of application and data security, and whether the current approaches are introducing excessive cost and complexity.

Data is everywhere. It’s in the cloud; in SaaS apps; on endpoints; in our datacenters.

If we really focused on what is important to protect, which is the data, where does that need to be? Do we really need it on endpoints? Can we move the data and a lot of the application services to the cloud or on-prem datacenter? And if so, are there new ways of providing application access to it?

Today, in the distributed desktop model, valuable corporate data ends up living on the endpoint. CIOs are forced to lock it down with so many controls it destroys the very value of a distributed endpoint. Not to mention the significant cost of all those security measures we talked about earlier.

But getting the security model wrong also has devastating impacts. Ransomware moves very quickly through an entire network. If a vulnerability exists that it can exploit and is left unpatched throughout the fleet of endpoints and servers, ransomware will continue to move laterally until it gets it all. Ransomware doesn’t care where your employees work or live.

Which brings us to resilience. On top of an enterprise-wide breach like ransomware, if a device breaks or an update breaks it, then it’s not resilient. At scale, that could mean weeks or months to remediate. Regulators are increasingly requiring organizations to plan for business continuity, not just disaster recovery.

What’s needed is a cost-effective and secure blended approach, where end users can get the distributed benefits of latency‑sensitive tasks or browser‑based workflows combined with the requirement to protect sensitive data or managed regulated actions environments.

The CIO mandate is no longer optimization – it’s structural integrity

What some organizations are starting to think more about is the concept of structural integrity – ensuring that the enterprise computing model can increase its support of resilience, reliability, and scalability to absorb change without constant reengineering.

Today, what happens if I have to make a business trip to China? At some point, I’m probably going to leave my laptop in the hotel room. How can I maintain the trust of the device and positive asset control? At what point do I not trust the device again, and how do I know my data wasn’t cloned while it was out of my control? When sensitive data resides on each endpoint, and organizations expect all employees to never let the device out of their control, even for a moment, it’s a recipe for loss.

By contrast, as I sit here on a Delta flight from Los Angeles to Dallas, I’m typing to you from an endpoint which is immutable. It’s running Citrix UniconOS on a repurposed laptop. This is a stateless device, where none of the data itself lives locally. I’m utilizing a mix of web apps and Citrix DaaS published applications. The web apps are being secured through Citrix Secure Access with Chrome Enterprise, an enterprise browser with many of the capabilities in Security Service Edge (SSE) but without the complexity and cost.

The best part of this is that the security controls are placed on two applications: Citrix Workspace and Citrix Secure Access with Chrome Enterprise. Data loss is controlled, malware is controlled, access to approved corporate web sites and apps are controlled.

Instead of heavy device-centric controls, we’ve put walls around the apps themselves, inclusive of the enterprise browser, just like we have done with Citrix DaaS for more than 30 years. With a model like this, an organization never has to worry about data loss or compromise on endpoints.

What I get as the end user is the same as I’ve always had on a laptop – portability. I can work anywhere, and without cumbersome device-centric security controls, my device feels a lot snappier. Even if this device is impacted with a hardware fault, I can just jump to another device and continue. Because the device shouldn’t matter.

As a result of eliminating all that security bloat, operational costs dramatically decrease; data sprawl reduces and is easier to protect; complexity decreases; and risk is reduced.

But it’s not just entities of Cloud Software Group running an operating model like this. Organizations that get this right don’t just run cheaper or more securely. They integrate faster in scenarios like M&A where speed is essential. They respond to regulations with less disruption. They recover faster and with less business impact from incidents. And they give their business leaders confidence that IT is an enabler, not a constraint.

Shifting to a more intentional enterprise architecture

The next phase of enterprise computing won’t be defined by a single platform or deployment model. It will be defined by intentional choices about where data resides, where work happens, how access is delivered, and how risk, resilience, and cost are balanced. Flexible, persona-based approaches such as Citrix Platform Flex help align delivery and spend with the way work actually gets done.

The centralized versus distributed debate is over. You can have the best of both worlds. What replaces it is far more consequential: whether the environment is designed deliberately – with conscious decisions on where data should live – or whether it’s simply the accumulation of past decisions.

For CIOs, that distinction increasingly defines the difference between control and fragility.