Friction is an innovation killer, especially in the cloud. And when the subject of friction comes up, it's usually focused on the security team's effect on development and operations. It's a legitimate concern, especially since the cloud is proven to spur innovation, enabling development teams to quickly create and deploy new applications. What's talked about less often is the friction that development and operations can cause security teams.
To help you better understand how security teams experience friction, and the effects it can have on C-suite relationships, ExtraHop commissioned the Reducing Cloud Security Friction in the C-Suite report, an independent survey of cybersecurity and IT professionals conducted by Virtual Intelligence Briefing (ViB). According to the survey, 67% of respondents said friction in the cloud makes it more difficult for security teams to do their jobs.
Given the scale and complexity of cloud environments, friction for security teams is a given. There are multiple deployment environments inside each cloud and it's relatively easy to add newly created or third-party apps and also connect with employees, customers, and clients. However, those benefits come at a cost in the form of shadow IT and unmanaged devices.
Bi-directional fiction in the cloud also affects the balancing act between chief information officers (CIOs) and chief information security officers (CISOs). One group, CIOs, wants to take advantage of the speed and efficiency of the cloud, while the other group, CISOs, need to ensure that cloud environments are secure. This point of friction often pops up in cloud migration and digital transformation projects. From there, the friction spreads.
Cloud Migration and Digital Transformation
Cloud migration and digital transformation are key initiatives for organizations of all sizes. Almost half of respondents (48%) described migration and digital transformation as their most important projects. This stat is interesting because the majority of respondents to the survey (53%) hold security job titles. However, the largest single cohort (26%) are IT managers or directors, which likely influenced the results. Still, the survey showed that moving on-premises workloads to the cloud will continue to drive projects and friction.
One way to mitigate the effects of that friction and keep projects on track is to provide security teams and their counterparts in development and operations with the tools and processes they need to understand inventory, risk, and performance before, during, and after migration. When those teams work well together and keep everything on track, it helps mitigate friction, which could slow or stop migration or digital transformation projects and bubble up to the C-suite when projects are delayed due to security concerns.
Cloud Threat Detection and Response
Another key project for survey respondents was cloud detection and response (CDR), with 25% describing it as their most important task. When viewed against cloud migration and digital transformation, cloud detection and response is the security version of a before-and-after photo, since organizations need to defend assets once they're in the cloud. CDR also shows that cloud security is a team sport, with 86% of respondents saying their security team works with other teams for incident response.
This is why aligning people, processes, and technology is essential to creating better outcomes and reducing friction. When you provide security teams and their counterparts in development and operations with tools they can all use, leveraging data they can all share, it eliminates silos and improves communication. Shared tooling also helps align CIOs and CISOs to make a stronger business case for adding new security products. That's important, because 69% of organizations plan to add tools within the next 12 months. And when we look inside that number, more than half (58%) said security—and likely the CISO—controls their tooling budget, but that leaves 42% where the CIO likely holds the budget for new security purchases.
Visibility and Communication Gaps: Two Key Friction Points
When friction between security and development and operations escalates to the CISO-CIO level, visibility and communication gaps are often to blame. We touched on both earlier in the blog, but let's dive in a little deeper.
Friction from Visibility Gaps
Cloud environments are notorious for visibility gaps, and those gaps are present regardless of where in the cloud organizations host workloads. Take infrastructure-as-a-service (IaaS) environments, the most popular in the public cloud. More than half of respondents (53%) said they have visibility gaps in IaaS. It's a troubling statistic, given that two-thirds of organizations use IaaS. A significant percentage also said visibility is an issue in containerized and platform-as-a-service (PaaS) environments, with 44% and 43% admitting to gaps in those deployments, respectively. Again, the popularity of those environments makes the figures stand out. More than half (52%) of organizations leverage containerized environments, and another 42% use PaaS, which drives innovative app development. For security, the visibility friction point is pretty simple: They can't defend what they can't see, so they need tools that work across cloud environments.
Friction from Communication Gaps
Communication gaps are another point of friction, especially between security and development teams. Only 4% of respondents rated communication between the two as excellent, compared to 32% rating comms between security and infrastructure as excellent. Considering the CIO's mandate to take advantage of the speed and efficiency of the cloudand the CISO's mandate to keep it secure, communication issues between security and development can have a major effect on C-suite harmony.
To mitigate that friction and increase security throughout the software development lifecycle, many organizations are adopting a DevSecOps approach. However, it's still better as a concept than it is in reality, with 58% of respondents in a different survey admitting that their development teams have released apps with vulnerabilities. This is another example of why cloud threat detection is an important initiative for organizations. When vulnerable apps are released, organizations need the ability to quickly detect, investigate, and respond to alerts when adversaries take advantage of those vulnerabilities.