According to our 2023 survey of 1,420 global IT decision-makers at companies and organizations in seven sectors, 63% of C-suite and board members ranked cybersecurity as their top business concern, marking a 5% increase from the previous year, when cybersecurity also ranked as their top concern.
However, the focus of C-suite security efforts is transitioning from the traditional IT model that prioritized defined perimeters and defenses against outside threats. Today, the emphasis is on cloud-native security, emphasizing safeguards within the cloud, especially at the application level.
Cloud-native security gains focus as IT boundaries blur
Our survey corroborates this transition. With 62% of respondents identifying the threat of cloud architecture attacks as a top risk, there has been a corresponding increase in spend for cloud security as IT boundaries become less defined.
To combat risk, organizations are utilizing the following technologies:
- Cloud-native security (57%)
- Data security (51%)
- Application security (48%) to protect data and code within applications
- Consultative security services (41%)
- Detection and response (38%)
- Identity access management (IAM) (32%)
- Next-gen networking (27%)
The heightened attention on cloud security reflects to a 12% rise in perceived risk of cloud architecture attacks compared to the previous year. Most respondents prioritized investing in cloud-native security and application-centric tools, however many lack the necessary experience to effectively deploy and use these tools. This shortfall leaves organizations vulnerable, leading 53% of respondents to seek help from specialized partners in combating these threats.
The need for adaptive security
The traditional approach of implementing security measures after deploying software or systems is becoming obsolete. Given the dynamic nature of the cloud and its associated threats, such strategies risk leaving vulnerabilities exposed. The modern directive calls for embedding security controls within delivery frameworks from the outset, forging robust architectures that facilitate authorized operations while effectively thwarting unauthorized actions.
It is important to have an ongoing, adaptive approach to cloud-native security. Cloud-native security demands persistent vigilance and adaptation to ever-shifting digital landscapes. With this heightened visibility, security operations can proactively identify and shield unprotected workloads. This agility not only responds to but anticipates evolving digital ecosystems, and plays a crucial role in unmasking and neutralizing hidden threats.
What are the primary threats?
Our research pinpointed the primary threats organizations are concerned with: cloud architecture attacks (62%), advanced persistent threats (APTs) (56%), and exposed vulnerabilities due to "insecure infrastructures" (50%). These findings underscore the urgency for security solutions that transcend conventional perimeters.
Rank the top three threat vectors that are the highest risk for your organization.
- Cloud architecture attacks (62%)
- Advanced persistent threats (APTs) (56%)
- Insecure infrastructure (50%)
- Personnel risk (47%)
- Technical debt (43%)
- Adoption of AI (42%)
Traditional security solutions, anchored around network choke points and reliant on installed agents, are ill-equipped to provide comprehensive visibility or defense against these sophisticated cloud-centric attacks. This inadequacy highlights the critical importance of leveraging the built-in security controls that cloud service providers (CSPs) offer.
Consider Microsoft's strategic move when it introduced its anti-spyware tool, later rebranded as Defender®. This wasn't merely about launching a new product; it was a pivotal step in embedding security functionality directly within the platform's updates, setting a precedent for integrated security measures.
Many companies now recognize the need to integrate protective measures concurrently with, or immediately after, launching new cloud capabilities. For instance, the introduction of advanced threat detection tools, automated patch management and enhanced data encryption are often integral components of these updates. For organizations operating hybrid or on-premises infrastructures, the landscape is enriched by proficient third-party companies. These entities specialize in delivering comprehensive, unified security policies and protective solutions, seamlessly spanning diverse environments.
The availability of cloud-native tools is a breakthrough, yet the real magic lies in the hands of the experts using them. These tools, although sophisticated, aren't self-sufficient — they need skilled professionals who can tailor and optimize them to suit an organization's specific cybersecurity needs.
However, the ability to onboard and keep this talent is anything but easy. Our data shows significant concern among organizations, with 56% expressing difficulties in hiring and retaining the right IT minds. This challenge isn't just about finding skilled individuals; it's about holding onto them in an industry where expectations are high, and the pace of technological advancement is unrelenting. Survey respondents identified the following as common obstacles to recruiting and retaining cybersecurity talent:
- 54% of respondents say staff leave for higher salary, work culture & professional growth opportunities
- 48% say they struggle to adapt training and development programs to employee expectations
- 44% face high demand but low supply of skilled personnel
- 39% are experiencing notable skills gaps in specialized areas
- 36% attribute retention challenges to the complex/fast-paced nature of cybersecurity
- 29% cite inexperience as a recruiting challenge
Navigating the needs of varied cloud security personas
In creating and delivering cloud-native security solutions, we typically see three distinct customer personas, each with its unique needs and challenges:
- The nascent customer: This customer is struggling to get over governance hurdles and needs foundational guidance to navigate the initial complexities of cloud security.
- The greenfield customer: These are the innovators who are launching new projects in the cloud and need assistance in building security protocols from the ground up to ensure their initiatives are secure from the start.
- The mature customer: These are the customers with an established cloud presence who seek thorough evaluations of their existing cloud infrastructures to identify and rectify any latent vulnerabilities.
To efficiently establish a new baseline, many of these customers turn to external security providers for faster process and tooling growth, rather than using in-house staff which can lead to longer timelines and lower quality results.
When seeking quality implementation services, it is important to choose providers who can assess the customer's current progress and smoothly transition their workforce into "Day 2" operations. Regular evaluations are necessary for ensuring up-to-date security practices and addressing potential vulnerabilities from misconfigurations or known attack vectors.
Blueprints for bolstering cloud security
When embarking on the cloud-native security journey, customers often question where to start, and which strategies will yield immediate, impactful enhancements to their security posture.
Typically, we assess two distinct areas: security hygiene and security posture. Hygiene focuses on alignment with industry standards. This foundational measure, however, only scratches the surface. The more profound exploration comes with a cloud security posture assessment, where we deep into an organization’s fabric — its structure, team dynamics and risk framework alignment. Many customers consider the latter to be of value because it identifies root issues rather than just addressing symptoms.
Using the CIS Critical Security Controls framework and conducting regular cloud hygiene reviews also provides a starting point and generates a thorough report and actionable plan for improving overall security. Another option for customers is to assess deviations from established baselines, such as CIS Benchmarks.
The shift-left approach stresses the importance of involving all stakeholders in the development and deployment process to establish a secure environment from the beginning, rather than attempting to address issues after the fact. Here are a few more ideas to help improve your organization's cloud-native journey and get it headed toward optimized scalability, reliability, and flexibility:
- Prioritize periodic checks: Without a robust governance structure, security becomes porous, contentious and disjointed. Engage in routine assessments to ensure your security protocols stay current and effective against new threats.
- Tackle organizational hurdles: Establish and reinforce a resilient governance framework to enhance security and conquer the collaboration challenges that can weaken your security posture.
- Incorporate security into development: Move beyond reliance on isolated security teams or complex procedures. Build a culture that integrates security into every phase of delivery, supported by a governance structure that provides crucial compliance metrics, imbedded controls and adheres to global standards.
- Harness automation: Automation and deployment pipelines are valuable tools for security professionals, enabling them to implement and refine security policies across their cloud workloads. Utilize these technologies to implement, refine and maintain security policies across cloud workloads consistently.
The 2023 Cybersecurity Research Report
About the Authors
Manager, Global Cloud Security Solutions
Scott Schlueter has over 20 years of experience in information technology across diverse industries including higher education, enterprise and managed IT, and healthcare. As an Information Security expert specializing in security architecture and risk-based strategies maximizing security goals, he has become a dynamic leader and articulate communicator with a talent for building business processes with an emphasis on automation and fostering relationships among business units and principles. He is a certified information security professional with extensive experience in enterprise project management, mergers and acquisitions, and maximizing effectiveness of security controls.Read more about Scott Schlueter