This post is also available in: 日本語 (Japanese)
At the risk of undermining my own career, I'm going to bring you all in on a secret: cloud security does not exist. Rather, there is "scale the business" security, "better serve our customers" security, "drive innovation" security… the list goes on. This is a bit of a joke, of course. Cloud security is very real. But this highlights one of the lessons learned from our second-annual industry survey, The State of Cloud Native Security Report, 2022 – stronger security can help improve other business outcomes.
Unsurprisingly, the past two years have seen a rapid acceleration of cloud adoption across all countries and types of organizations. We've learned from reaching out to more than 3,000 professionals across security, development and IT that success is more likely when an organization has a cohesive strategy for moving to the cloud. There needs to be a driving factor that shapes what adoption needs to look like. In other words, leaders need to think about why they are trying to secure the cloud – do they need "improve competitiveness" security, "better enable developers" security or something else?
We found that organizations that embrace security and automation, as part of that cloud adoption strategy, show a wide number of better business outcomes. Case in point, 80% of organizations with strong cloud security posture reported increased workforce productivity, and 85% of those with low "friction" between security and development/DevOps teams report the same.
Let's look at a few other takeaways from this year's State of Cloud Native Security Report.
The COVID-19 pandemic affected cloud adoption strategies for nearly every organization over the past year. Data from our cloud security survey shows businesses moved quickly responding to increased cloud demands. Nearly 70% of organizations are now hosting more than half of their workloads in the cloud, and overall cloud adoption has grown by 25%.
Previous research from our Unit 42 Threat Intelligence team also shows that many organizations struggled to automate cloud security and mitigate cloud risks associated with that growth. This new report further highlights that importance, showing that organizations with a high level of security automation are two times more likely to have a strong security posture. Furthermore, those that tightly integrate DevSecOps principles into their development lifecycle are over seven times more likely to have a strong or security posture.
The struggle to automate security was not necessarily due to a lack of effort, however. Respondents told us that the top three challenges in moving to the cloud were maintaining comprehensive security, managing technical complexity and meeting compliance requirements, respectively. This aligns very closely with last year's results, showing that no matter the situation or reason an organization moves workloads to the cloud, security remains consistently challenging.
We were able to get unique insights into these challenges, thanks to the speed at which organizations were forced to accelerate adoption strategies last year. The globally condensed timeline for cloud adoption (due to COVID-19) provided something of a natural experiment that allowed us to compare different approaches to cloud security, and see rapid results.
In the report, we identified patterns in approaches to cloud adoption and associated outcomes that led to three representative "peer groups." We call these groups Moderate Adopters, Rapid Expanders, and Established Users. You can read the full report to see which traits make up these groups and how they operate, but our analysis shows clear connections between security and organizational outcomes across all of them.
For example, organizations that successfully navigated a significant growth in cloud workloads during the past year followed these practices:
- Had clear strategic reasons for their growth – an understandable organizational goal.
- Focused on deploying comprehensive tooling from a few trusted providers, as opposed to point solutions from many providers.
- Practiced disciplined, controlled spending, focusing on strategy rather than throwing money at the problem.
- Integrated automation and DevSecOps principles across the cloud native application development lifecycle.
For all organizations, those with high levels of automation are two times more likely to report low levels of team friction among security, development and DevOps.
These are just a few of the fascinating insights from the State of Cloud Native Security Report 2022. Additional findings shed light on the ways that budget and spending affect cloud security, the ways organizations balance security tools and solution providers, and the many additional factors that drove successful (and less successful) cloud adoption during the past year.
Check out our latest cloud security survey for yourself. Visit the report page to download a copy for free.