Cloud security priorities of “pandemic-evolved” businesses

Devo Technology announced the results of a report assessing the current state and pace of change with regards to enterprise cloud transformation initiatives and the ramifications on teams running a Security Operations Center (SOC). The report, “Beyond Cloud Adoption: How to Embrace the Cloud for Security and Business Benefits,” found that the global pandemic accelerated business transformation far past the cloud tipping point and uncovered severe and far-reaching implications for security teams. It also revealed that forward-thinking and high-performing organizations took this opportunity to face the challenges head-on, and their businesses are far better for it—with more than half of high-performing organizations seeing gains in capabilities and visibility.

The findings come from a survey conducted by the Enterprise Strategy Group (ESG) comprising 500 IT and security personnel in the ‘SOC chain of command’ at enterprise-class (i.e., more than 1,000 employees) organizations in North America and Western Europe in January 2021.

The global pandemic, and associated surge in remote work, accelerated a massive move to the cloud with cloud-first organizations now outnumbering on-premise organizations by a ratio of three-to-one, with 81% of organizations voicing that COVID had accelerated their cloud timelines and plans. Across these companies, there was a 200% jump in organizations planning to move more than 75% of their apps/workloads to the cloud, with 86% of companies placing cloud options in their decision process for new applications, and more than 40% choosing the cloud as their first option.

“It could not be more clear from our conversations with these companies that cloud considerations are no longer a project-based decision, but an ‘all-in’ business strategy,” said Jon Oltsik, Senior Principal Analyst & ESG Fellow. “Even at a time of increasing regulations and risks—and increasing IT complexity driven by cloud computing proliferation—organizations are moving aggressively to transform their businesses.”

With such a massive and rapid shift, the current infrastructure of technology and people are not well aligned with these new realities. Respondents cited significant issues of complexity and overload—most notably, 80% citing as much as 40% more security data on which they need to analyze and act. The staffing costs are also high with 41% citing challenges of increased workload, and 35% identifying a security skill mismatch—all resulting in higher exposure. In 60% of organizations, they have seen an increase in threat and attack complexity, and in more than 60%, it has exposed weaknesses in legacy security toolsets.

ESG designated the 22% of organizations deemed high performing as “Cloud Evangelists,” characterizing them as businesses with high adoption rates of cloud and cloud-based security controls. With nearly 80 percent of these organizations seeing an increase in security spending for cloud, those moving aggressively to transform their security made substantive changes, including:

More than 40% have implemented automated security processes to detect and respond to attacks on cloud workloads.
More than half have instituted cloud security training for the SOC, and 36% added security staff.
Nearly 90% believe their organization’s public cloud security spending will increase over the next 12 months.

Douglas Murray, CEO at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services, says, "ESG’s research echoes what we hear on a daily basis from our customers. With 68% of survey respondents saying that to move to the public cloud introduces more complexity and two-thirds not having confidence in cloud visibility, a tipping point is coming. "

Murray adds, "Cloud is different; it is much more dynamic and distributed than the on-prem Data Center world. The speed with which the cloud moves is also much faster. Organizations that have tried to port their existing on-prem-focused security tools to the cloud quickly realize the challenges. Organizations are increasingly turning to cloud-native platforms for network security and other domains. Only cloud-native platforms can keep up with the speed and complexity of the cloud and ultimately increase visibility and control with a more dynamic security model."

The all-in approach taken by Cloud Evangelists has not only allowed organizations to keep pace with change, but also positively affect the operational strength of the business overall. More than 50% said these security changes increased the pace of application development and deployment, and 62 percent indicated it eased the ability to adopt new technologies. Finally, 56% cited “high confidence” in security visibility into cloud workloads.

These changes by Cloud Evangelists highlight the organizational differences from another group identified in the report, Cloud Adopters (11% of survey participants), which represents organizations that are adopting cloud computing but are not as aggressive toward adoption of cloud-based security controls. When it comes to this group that is on the right track of shifting to the cloud, the report findings showed:

Adopters report a less significant positive impact of cloud computing on adopting new technologies, with only 42% reporting a positive impact.
Adopters are also playing catch up to Evangelist when it comes to resources. Thirty-six percent of Adopters are adding capacity or resources to security compared to 48% among Evangelists.
Adopters are nearly neck-and-neck with Evangelists with 24% strongly agreeing that adopting cloud computing exposed limitations of existing tools in providing security visibility.

John Morgan, CEO at Confluera, a Palo Alto, Calif.-based provider of cloud cybersecurity detection and response, notes, "There are a couple of stats from the report that organizations should pay special attention to. The report states that 43% of organizations have at least half of their security tools and controlled deployed in the cloud. While such percentage shows progress, it also demonstrates the gap between cloud deployments and security in which security continues to lag the organizations’ shift to the cloud. The stat also demonstrates the state of transition many organizations are going through from on-premise to the cloud and how such transition cannot happen overnight. Security solutions must be able to accommodate this transition for the long haul."

Morgan adds, "The report states that 68% believe cloud computing has made IT and security operations more complex. The lack of familiarity with cloud security and challenges in moving existing security policies and controls are some of the common challenges organizations face. With IT and security staff already spread thin with the recent barrage of ransomware and other attacks, adding the complexity of moving existing security solutions to the cloud can result in security exposure organizations cannot afford. Organizations should take this opportunity to assess a new breed of security solutions designed to support the cloud as well as simplifying threat detection and response to better utilize the existing IT resources.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.