CRA Study: Security Leaders Feel Unequipped to Address Cloud Security, Even as Cloud Investments Surge

Published on
October 31, 2022

Misconfigurations, lack of oversight and insufficient visibility among the challenges facing infosec professionals

New York, NY, October 31, 2022 – Organizations continue to transition more and more assets to the cloud, despite concerns among security leaders that rapid adoption of cloud environments could introduce risk tied to potential vulnerabilities and management challenges.

CRA Business Intelligence, the research and content arm of the cybersecurity data and insights company CyberRisk Alliance, conducted a survey of 216 security and IT leaders, security administrators, and compliance professionals in the United States, which revealed that misconfigurations, lack of oversight, and little visibility across the organization are among infosec professionals’ chief concerns about public cloud deployments. According to the report, underwritten by Qualys and Crowdstrike, respondents expressed concern that high-profile, public cloud platforms are easy targets for malicious actors, who use automated tools to scan for cloud misconfigurations and easily gain access to their organi­zation’s cloud-based assets.

Survey respondents also indicated that the Shared Responsibility Model, which  that dictates the security obligations of cloud service providers (CSPs) and cloud customers, is easily misunderstood, prompting concerns about the safety and security of their cloud deployments.

“We would have more peace of mind keeping all of our data on premises, but have found this to be a challenge in our real-world implementation of our data infrastructure,” one respondent said of their organization’s move to the cloud despite the security concerns.

That said, respondents do not appear complacent about security risks. They are finding ways to leverage the security benefits of the cloud and have made plans to invest more on cloud security in the coming year.

Key takeaways from the report reflect this:

  • Nearly two out of three (62%) survey respondents cite improved security among their top goals for current or future cloud deployments and migrations. Lower operational costs (56%) and compliance (50%) are other primary cloud deployment drivers.
  • The Shared Responsibility Framework can be confusing and sometimes misunderstood as security ownership responsibilities typically depend on whether the model is SaaS, PaaS, or IaaS. Some respondents revealed that they, or their IT teams, did not fully comprehend how security worked in their organizations’ public cloud environments and believed they needed to better understand the security and controls to meet their needs under this model.
  • The largest shares of respondents indicated they incorporate vulnerability management (69%) and penetration testing (61%) in their organization’s cloud security strategy. Slightly more than one-third of respondents reported they also include API security, cloud security posture management, container security, static analysis, and cloud workload protection. About one-third of respondents (35%) indicate they are planning to add cloud security posture management to their cloud strategy.

  • Cloud security champions, mostly large organizations with large IT teams (many in the high-tech sector), are at least twice as likely than other organizations to include a variety of cloud security solutions and much more likely to deploy specialized cloud security capabilities, such as application programming interface (API) security, container security, static analysis, dynamic application security testing, infrastructure as code, and software composition analysis.

Despite concerns, most organizations indicate they are likely to invest in cloud security in the coming year, with nearly three in four respondents stating that their spending or budget will increase at some level in the next 12 months.

The full research report is available for download here.

About CyberRisk Alliance  
CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, ChannelE2E, MSSP Alert, InfoSec World, Identiverse, Cybersecurity Collaboration Forum, its research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, and now, the Official Cyber Security Summit and TECHEXPO Top Secret. Click here to learn more.

About Crowdstrike
CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise. CrowdStrike secures the most critical areas of enterprise risk — endpoints and cloud workloads, identity, and data — to keep customers ahead of today’s adversaries and stop breaches.

Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon Platform leverages real-time indicators of attack, threat intelligence on evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities — all through a single, lightweight agent. With CrowdStrike, customers benefit from superior protection, better performance, reduced complexity, and immediate time-to-value.

About Qualys
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disrup­tive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substan­tial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices.

We're Here to Help

From news, analysis, and insight, to events, communities, custom content and marketing solutions, the CyberRisk Alliance portfolio provides support to the entire cybersecurity ecosystem. We'd love to help support your goals.