ESG conducted research in the fall of 2019 to examine the composition of cloud-native applications, explore the challenges associated with securing cloud-native environments, and gauge the emergence of secure DevOps programs, or “DevSecOps,” as a methodology to protect the lifecycle of modern applications. The number of organizations who have or plan to implement secure DevOps practices has grown appreciably since ESG’s similar study in 2017, leading to an expanded set of use cases and, over time, broader coverage of an organization’s footprint of cloud-native applications. DevSecOps, for the purposes of this ESG brief, is the automation of security via the integration of cybersecurity controls and processes in the continuous integration and continuous delivery (CI/CD) pipeline of DevOps.
Cybersecurity & Networking
-
-
It is an obvious move to provide cybersecurity awareness training to employees to ensure their secure use of the company network across multiple cloud and hybrid environments—and it is an arguably altruistic bonus to enhance employee personal life cybersecurity. But does cybersecurity training accomplish what we want it to? Does it effectively stop users from clicking on malicious links in phishing emails or help them recognize a seemingly innocuous email that might offer privileged access to an attacker? Some say yes; some say no. ESG conducted several studies in 2019 that provide insight into respondents’ use of cybersecurity awareness training and their perception of the service.
-
Today’s announcement of Mimecast acquiring Segasec should help companies close another important gap in the race against the rampant phishing and credential theft attacks.As Mimecast builds out their Email 3.0 strategy, the acquisition of Segasec will put the heat on bad actors who are busy stealing credentials by impersonating many of the world’s biggest companies. With so many phishing attacks attempting to lead users to fake or impersonated web sites where they unknowingly give up login credentials and other sensitive information, many of the largest online companies become the biggest targets.
Mimecast continues to extend their email security platform to protect against the growing email-led threat vector. While many email security companies have implemented filtering techniques to detect and slow down url and domain spoofing, impersonation sites have been left unattended. Segasec’s subscription service proactively hunts down impersonation sites and shuts them down. This is kind of like going after the drug dealer’s home instead of the drug user. To accomplish this, Segasec continuously monitors domain name registrations, certificates, social networks, and more, looking for indications of impersonation. And when they find them, they have several methods of blocking access or taking down the impersonated sites. (more…)
-
Enterprise Strategy Group recently completed an interesting study where, rather than surveying IT buyers and practitioners as is normally the case, we targeted employees in non-IT roles like sales, human resources, marketing, and finance. This provided a view of how the typical worker thinks about technology and the impact it has on their professional life. While a lot of the survey focused on end-user focused processes and technologies (mobile devices, applications, voice assistants), respondents were also asked for their perspectives on cybersecurity.The cybersecurity results are reviewed in detail in this ESG Brief, but some of the high level takeaways included:
- Threats are exacerbated by risky employee behavior – between one in five and one third of employees report downloading personal applications to work devices, sharing sensitive information on public Wi-Fi networks, or disabling/removing AV software. The numbers are even higher for certain types of workers (mobile, senior managers, younger). When cybersecurity best practices get in the way of productivity or convenience, workers will obviously cut corners.
- Passwords remain an issue – nearly three-quarters of workers report reusing passwords at least occasionally. This isn’t surprising due to device and application sprawl, but is still worrisome. Single sign-on/password manager technologies are at the top of the list for technologies that workers want to alleviate the frustrating and productivity draining process of managing multiple passwords.
- Awareness training is becoming more common, but is still not pervasive – 60% of workers report participating in required cybersecurity training, but only 43% said it was a recurring practice. Companies don’t want to burden their employees with unnecessarily or unproductive trainings. However, when done right, cyber awareness training can make an impactful difference. But this requires going past just checking the box and creating an iterative program of training and testing to focus on the most vulnerable vectors and employees.
Overall, my takeaway was that cybersecurity vendors need to spend more time on the user aspect of security. Accounting for the views of those that are on the top line will become increasingly important as cybersecurity continues to move into the mainstream. That’s happened within the IT department, but there’s still room to grow among the non-IT employee base.
-
Cybersecurity clearly has the attention of IT departments and executives. High-profile attacks and the resulting direct and indirect costs associated with security breaches have helped drive awareness over the last decade and give security practitioners a louder voice in the organization. However, the average worker is more concerned with maintaining productivity and convenience in their increasingly overlapped work and personal life. Cybersecurity solutions must begin to deliver the technology experience workers demand.
-
The rapid adoption of containers to support modern application environments is having a significant impact on IT and the underlying technology. This is especially true for the network team, where container adoption is impacting existing network architectures and creating new challenges. As is the case with most transitions, there is a temptation to resist change, but as time and previous technology transformations have demonstrated, these changes must be embraced. Organizations need to ensure that the network is in a position to accelerate the adoption of new technologies.
-
Hybrid has become the de facto cloud strategy for most organizations and will likely remain so for the foreseeable future. At the same time, there is a lot of discussion in the market regarding modern or cloud-native application environments as organizations look to shift from infrastructure-focused to application-centric management, but what is the reality of container environments in enterprises? ESG research confirms that not only has the adoption of containers been steady—and will continue to be—but also that this usage will play an increasing role in supporting production application environments.
-
Security analytics and operations can be complex, requiring highly skilled professionals and detailed processes. To overcome these issues, security teams tend to deploy an array of security analytics tools and technologies to collect, process, analyze, and act upon growing volumes of security telemetry. Despite this investment, however, many organizations continue to find it difficult to manage cyber risk or detect and respond to cyber incidents.
How can CISOs address these issues and develop effective security analytics and operations processes? In order to get more insight into these trends, ESG surveyed 406 IT and cybersecurity professionals at organizations in North America (US and Canada) involved with the planning, implementation, and/or operations of their organization’s information security policies, processes (including purchase decisions), or technical safeguards and familiar with their organization’s collection and/or analysis of security data in support of information security management strategy
-
ESG conducted a comprehensive online survey of IT professionals and software developers at private- and public-sector organizations in North America (US and Canada) between June 7, 2019 and June 17, 2019. To qualify for this survey, respondents were required to be responsible for supporting their organization’s application development environment, including their plans and strategy for containers technology. All respondents were provided an incentive to complete the survey in the form of cash awards and/or cash equivalents.
This Master Survey Results presentation focuses on the current state of application development architectures and methodologies in use in enterprise environments, specifically usage of and plans for containers technology.
-
ESG’s Master Survey Results provide the complete output of syndicated research surveys in graphical format. In addition to the data, these documents provide background information on the survey, including respondent profiles at an individual and organizational level. It is important to note that these documents do not contain analysis of the data.
This Master Survey Results presentation focuses on the current strategies used for security analytics and operations, including the impact of public cloud resources for processing and storing large and fast growing volumes of security data.
-
Last week, I attended Cisco’s #InternetForTheFuture event in San Francisco. This was a major announcement for Cisco and marked their entry into selling merchant silicon and optics developed by Cisco. Specifically, it announced Silicon One, the 8000 series portfolio with IOS XR7 and a line of optics solutions
-
ESG conducted an in-depth survey of 220 cybersecurity professionals concerning their organizations’ usage of, experiences with, and future plans for cybersecurity services. Survey participants represented small (50 to 99 employees), midmarket (100 to 999 employees), and enterprise-class (1,000 employees or more) organizations in North America (United States and Canada).
This research report reveals how cybersecurity service providers can answer IT’s call for help with advisory, implementation, incident, outsourcing, testing, and specialty services, and also covers purchasing trends.
Today’s announcement of Mimecast acquiring Segasec should help companies close another important gap in the race against the rampant phishing and credential theft attacks.
Enterprise Strategy Group recently completed an interesting study where, rather than surveying IT buyers and practitioners as is normally the case, we targeted employees in non-IT roles like sales, human resources, marketing, and finance. This provided a view of how the typical worker thinks about technology and the impact it has on their professional life. While a lot of the survey focused on end-user focused processes and technologies (mobile devices, applications, voice assistants), respondents were also asked for their perspectives on cybersecurity.