Survey of 200 it leaders finds that cloud perceptions, it security reporting structures, and cloud security approaches are changing
By Cameron Coles, Senior Product Marketing Manager, Skyhigh Networks
After years of IT leaders loudly voicing their concerns about the security of the cloud, trust in cloud services is now virtually on par with on-premises applications. That’s according to a survey conducted by the Cloud Security Alliance released this week (download a free copy here). It’s just one finding in the 26-page report drawn from a survey of over 200 IT executives about the state of cloud adoption, the evolving role of IT, and how enterprises approach cloud security. While trust in the cloud may be on the rise, that doesn’t mean companies aren’t looking to implement many of the same security controls they did for their on-premises systems.
“As data leaves the company data center for the cloud, IT is caught between delivering technologies to support innovation and growth in the business and securing sensitive data against proliferating threats.”
– Cloud Security Alliance “The Cloud Balancing Act for IT: Between Promise and Peril
64.9% of IT trusts the cloud as much or more than on-premises software
It’s a well-established conceit, heard whenever IT executives are discussing the merits of cloud projects, that “the cloud is not secure” but that’s changing. Despite concerns about the security of corporate data moving to the cloud, just 35.0% of IT leaders believe that, as a general rule, cloud-based systems of record are less secure than their on-premises counterparts. A majority, 64.9%, say that the cloud is either more secure than on-premises software or equally secure. One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending beyond even what some of their customers do to secure their on-premises applications.
While IT leaders are more confident in the platform security of cloud applications, there’s still a lot that can go wrong. Careless or malicious insiders, compromised accounts, and misconfigured security settings can all lead to data loss, even within enterprise-ready cloud services whose platforms are arguably more secure than what most companies run in their own data centers. Perhaps that’s why the ability to enforce corporate security policies is the number one barrier to moving applications to the cloud, indicated by 67.8% of IT leaders. That’s followed by the need to comply with regulatory requirements (61.2%) and lack of budget to replace legacy systems (31.6%).
64.9% of IT leaders say the cloud is as secure or more secure than
The top barrier to securing data is a lack of skilled security professionals
Surprisingly, the biggest barrier to stopping incidents that result in data loss is not a limitation with security technology or budgeting; it’s a human resource limitation. Companies are struggling to find and hire skilled employees to take advantage of their security technology. That’s because businesses are hiring IT security professionals faster than the market can educate, train, and develop experienced security professionals. In August, it was reported that JP Morgan expected to spend $500 million on cyber security in 2015, double its 2014 budget of $250 million. Rapid hiring is leading to a shortage of people to fill open positions.
A 2015 report from labor analytics firm Burning Glass shows that cyber security job postings grew 91% from 2010 to 2014, more than three times the rate of growth in all IT jobs. More than a third (35%) of cyber security jobs require industry certifications such as CISSP, 84% of postings require at least a bachelor’s degree, and 83% require at least three years of experience. However, education, certifications, and experience pay off for security professionals. The same report revealed that cyber security jobs have a 9% salary premium over other IT jobs. That’s why some say it’s the hottest job of 2016 and one with job security.
24.6% of companies would pay a ransom to prevent a cyber attack
In the now infamous Sony cyber attack, hackers contacted the company and demanded a ransom before making over 100 terabytes of sensitive company data public and crippling its IT infrastructure. In the CSA survey, the greatest concern reported by IT leaders about the impact of a cyber attack is the loss of reputation and trust, followed by financial loss. In the Sony attack, external analysts estimate it cost the company $35 million to deal with the immediate aftermath of the data breach and another $83 million to completely rebuild its damaged IT infrastructure.
It’s not clear whether Sony could have stopped the release of company data if it had responded to hacker demands in the days leading up to data dump (or if, indeed, the company attempted to answer the demands of the attackers). Nevertheless, if faced with a situation in which hackers have stolen information in a major breach and plan to make the information public, 24.6% of companies would be willing to pay a ransom to prevent the release of sensitive information. Across all companies, 14.0% would be willing to pay a ransom in excess of $1 million to prevent the release of such information. Not surprisingly, companies with cyber insurance were more likely to be willing to pay a ransom to stop a breach (28.6% vs 22.6%).
14% of companies would pay a ransom of $1+ million to prevent the release of data stolen by hackers
Systems of record are the next wave of cloud adoption
In 2011, Geoffrey Moore introduced the concept of systems of engagement and predicted they would be the next wave in enterprise IT. Systems of record, which capture every dimension of data relevant to a company and process that data, were the focus of information technology initiatives last century. The new focus, he said, was on systems of engagement that enabled greater collaboration and communication. These new tools allow users to share files and information and communicate in real time via video and chat, and they were built from the ground up to run in the cloud.
Fast-forward a couple years and Moore’s prediction appears prescient. Companies have invested in a new generation of communication and collaboration tools that are cloud-native. However, as more companies experience the benefits of cloud computing, they are beginning to look toward extending these benefits to their systems of record. Systems of record, far from being left behind in legacy on-premises data centers, are starting to move to the cloud. The most common system of record to be deployed in the cloud today is customer relationship management (CRM) solutions but nearly one third of companies plan to migrate their accounting/finance, HRM, and IT service management systems to the cloud.
Companies with a CISO are more prepared for a cyber attack
Companies with an executive in charge of information security, known as the chief information security officer (CISO), are more confident about their internal strategy to operationalize threat data. One of the reasons that companies with a CISO may be more confident is that they are more likely to have an incident response plan. Across all companies, 82.2% have some form of an incident response plan that details how the company would respond to a serious breach, including security remediation, legal, public relations, and customer support. However, fewer than half of these companies have a complete plan that covers all of these areas.
Just 19.0% of companies without a CISO have a complete incident response plan. However, 53.8% of companies with a CISO have a complete incident response plan. Companies with a CISO are also more likely to have cyber insurance to protect against the cost of a data breach. Across all companies, 24.6% have cyber insurance. However, just 17.2% of companies without a CISO have insurance compared with 29.2% of companies with a CISO. This insurance can help pay for the cost of a major cyber attack. Following the Target credit card breach in 2013, the company’s insurance covered $90 million of the $264 million cost related to the attack.
53.8% of companies with a CISO have a complete incident response plan
vs 19.0% of companies without a CISO