Survey respondents believe cloud security overall is improving, but challenges will persist as they pursue advancements
New York, NY, October 26, 2023 – Organizations are more confident in their cloud security efforts than ever, as they focus on multi-layered defenses and make plans in 2024 to incorporate more advanced cloud security tools. Executing those plans will likely remain challenging, according to new research from a September 2023 Cybersecurity Buyer Intelligence survey of 200 security and IT leaders and executives, practitioners, administrators, and compliance professionals.
Respondents have a strong desire to get ahead of threats and to get away from firefighter mode where every action is a reaction. They are fiercely protective of their cloud environments and appear eager to develop protections that can build on existing deployments. But they must tread carefully.
“Choosing the right cloud service provider that aligns with our organization’s security needs can be difficult,” offered one respondent. “Different providers have varying security features, certifications, and performance levels. Also integrating cloud security measures with our existing on-premises security infrastructure can be cumbersome and will require careful planning.”
Key takeaways from the report:
- The defense-in-depth approach is paying off. Fifty-six percent of respondents express moderate to high levels of confidence in their cloud security. It may not be a coincidence that we see more diversity in cloud security applications, from stricter access controls (77%) via IAM and PAM, to native security services provided by cloud vendors (66%), to more emphasis on monitoring (60%) and encryption (56%). As one respondent says, “[we’re] placing an emphasis on protections at the data layer in addition to the network and physical infrastructure layers” and “transitioning to a multi-layer defense strategy.”
- Companies are taking a bespoke approach to cloud deployments. Some respondents have migrated most – if not all – of their workloads into the cloud. Others have been more cautious, preferring to keep a majority of assets on-prem. While 53% work with just 1 or 2 cloud providers, 48% do business with at least 3 or more. These arrangements vary based on the needs of a given business, its budget for cloud security, and the demands of the industry.
- Skill gaps and lack of training undermine cloud initiatives. One in four respondents said their organizations grappled with not having sufficient expertise and training to implement cloud security effectively. This difficulty translates to not having dedicated oversight and visibility of cloud operations. “With all of the challenges in cloud security, the challenge our organization is least equipped to currently address is the advanced skill gap in our current resource pool to adequately keep up with constantly changing threat complexity and remediation,” said one respondent.
- Respondents have a cloud visibility problem. Beyond considerations like cost of cloud solutions and the skills shortage, many respondents can trace the majority of their pain points back to limited visibility of their cloud assets. From API security gaps (“there’s always a way to get in that we’re not scanning for”) and misconfigurations (“finding them and stopping the build to address security concerns”), to access management (“keeping track of new hires and terminated employees”) and tools deployment (“we need one pane of glass to look on and observe”), everything hinges on being able to see what’s happening in the cloud.
For more detailed findings and analysis, download the full report.
About CyberRisk Alliance
CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, ChannelE2E, MSSP Alert, InfoSec World, Identiverse, Cybersecurity Collaboration Forum, its research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, the Official Cyber Security Summit, TECHEXPO Top Secret, and LaunchTech Communications. Click here to learn more.