As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up

Most organizations have a gap between current and planned cloud usage and the maturity of their cloud security programs.

The continued shift to the cloud is driving challenges in preparedness, configuration management, and defending against new attack techniques. Businesses are rushing to move applications to the cloud, putting growing amounts of pressure on security teams to keep pace.
Trust in the public cloud continues to grow, researchers found in the Oracle and KPMG Cloud Threat Report 2020. Forty percent of the 750 IT and security professionals surveyed view the public cloud as more secure than what they can deliver on-premises, marking a 13% year-over-year jump from the 2019 study. Most (88%) currently use public cloud infrastructure services.
When asked about consuming business-critical applications as a service, respondents cite, on average, a 9% increase over the next two years. The shift to software-as-a-service (SaaS) for these applications shows more people are growing comfortable with the security of cloud providers. Enterprise resource planning, customer relationship management, human capital management, and IT services management are among the applications undergoing the transition to cloud, researchers say.
Many of our clients are at the point where they deployed their first set of important applications, like finance applications in the cloud, supply chain applications … a core set of three to five applications, and thats gone OK, says Steve Barlock, principal with KPMG. Whats happening over the past six to 12 months is businesses that have seen early success want to start moving everything to the cloud. Were seeing a problem of scale right now, he adds.
Survey data shows 92% of companies have a cloud security readiness gap between their current and planned cloud usage and the maturity of their cloud security programs. More than 40% report a wide gap, while 48% say the gap is moderate. The space is created when cloud services and applications are consumed by business units outside the scope of IT and security teams. As the security pros try to catch up, their efforts are perceived as slowing the business down.
The shared responsibility picture is just getting worse every year, says Greg Jensen, senior principal director of cloud security at Oracle. Security teams must know whats going into production. Once they do, it takes time to implement monitoring and remediation mechanisms.
This readiness gap manifests in new challenges for IT and security pros: More than three-quarters (78%) say the differences between cloud-resident and on-premises applications and infrastructure require a distinct set of security policies and processes. These differences have led to buying more security controls, driving complexity. Seventy percent report too many tools are needed to protect public cloud environments. On average, each uses more than 100 discrete security controls.
Visibility was a primary issue among respondents. Nearly 30% of
respondents said
identifying software flaws and remediation was the most important area for improving visibility. Other areas include finding workload configurations that are out of compliance (28%), an audit trail of system-level activity (27%), identifying misconfigured security groups (25%), and detecting external-facing server workloads that dont route Internet traffic via jump/bastion host (25%).
The pace of change of underlying technology is tremendous, says Barlock. Its just hard for teams to keep up with the pace of that change. The other dimension is the scale of the team: Do I have enough people on my security team who are knowledgeable about cloud and can meet the business where they are?
Barlock, who heads up the cloud and AI division at KPMG, says his team faced the same issues. In response, they reorganized their cybersecurity team to place a stronger focus on cloud and cloud/AI technology. They also grew closer to technology partners and encouraged employees to pursue certifications focused on cloud as well as hands-on skill building, he explains.
A lack of cloud security skills is proving problematic for organizations across the board, Jensen says, noting how many security incidents over the past year could be linked back to cloud configuration issues, including overprivileged credentials, lack of encryption, or unprotected buckets.
The news is scaring people, he explains. Its making them realize they are vulnerable because of a lack of understanding and ability to get a handle on security controls.
These challenges are driving businesses to hire more technically savvy cloud security pros. Researchers report more companies have a cloud security architect than a security architect, indicating a rethinking of security programs to close the readiness gap. One increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.
The BISO acts as a liaison between business executives and the CISO, Jensen explains, but it wont replace the security leader. Todays CISOs know organizations are going to pursue cloud-based applications without them. A BISO moves the security team close to the business team and understands the business development life cycle, priorities, and security gaps, he notes. BISOs are driven by business goals and achievement, and their role is to help CISOs and line-of-business owners to collaborate.
Related Content:
10 Standout Security M&A Deals from Q1 2020
Organizations Conduct App Penetration Tests More Frequently - and Broadly
Website Attacks Become Quieter & More Persistent
How Enterprises Are Developing and Maintaining Secure Applications
Latest Security News & Commentary about COVID-19

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that really bad day in cybersecurity. Click for
more information and to register
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
As Businesses Rush to the Cloud, Security Teams Struggle to Keep Up