kras99 - stock.adobe.com
The cybersecurity industry is flooded with acronyms and product categories. While intentions are good in terms of grouping related products and shortening product descriptions, having so many acronyms and categories brings more confusion than utility for building effective cloud-native application security strategies.
When cybersecurity categories worked
Market categories are meant to validate the need and opportunity to sell products with certain characteristics to solve customer problems. For vendors, they validate that a market exists for their products, helps them forecast sales opportunities and determines marketing investments based on whether they can capture a portion of the total addressable market for a category.
Ideally, categories should align with customer needs and budget line items. If a product category solves a problem, it justifies budget allocation. Think of going to a store with a shopping list of items you need, then selecting the products that deliver value and meet your needs at a fair price.
In technology business-to-business industries, categories were useful when software product development cycles were longer. Back in the day, vendors had long cycles to develop and release products. This included product development, testing, marketing development, naming the product, planning pricing and packaging a physical product to ship.
Vendors had the opportunity to build and define categories, with the goal of being the only vendor to meet the required needs for features and functions in their category. Then it was exciting to see if category leaders could stay ahead as newer companies tried to unseat them.
Category sprawl for software products and services
The pace of software releases and innovation is much faster today. Instead of designing physical products, we have cloud services that provide platforms and infrastructure to streamline development processes.
A huge benefit to this model is that users don't have to wait for long periods of time for new products and updates. Developers can use continuous integration and continuous delivery pipelines for efficient collaboration to rapidly build new products and release updates. Newer technologies and their rapid evolution, including low- and no-code development and assistive technologies such as generative AI, will continue to make it easier to produce software.
But that creates a problem, too. Companies rapidly create, release and update new types of products that provide value by solving key problems for customers, which creates category sprawl.
Categories align with vendor products, not customer needs
Having spent most of my career in marketing, I admit responsibility in this area. I spent years at vendors briefing industry analysts and influencers about the unique qualities of each product I was marketing. Part of the driver was to not compete with existing products in established categories. If my product's features wouldn't stack up against other vendors in an existing category, the plan was to create a new category.
The problem is that categories have emerged when vendors released new products addressing gaps, but adding multiple products doesn't help organizations protect their cloud applications against threats and attacks.
Let's face it: Categories aren't aligning with customer needs to release secure applications and protect their workloads from attacks and threats. The real problem is that hackers don't think in terms of product categories either -- they just look for vulnerabilities they can exploit.
My TechTarget Enterprise Strategy Group research on cloud security posture management showed that while most organizations say they have strong products and services in place, a vast majority (94%) have faced security incidents in the past 12 months. These incidents resulted in the introduction of cryptojacking malware to mine cryptocurrency, remediation steps that affected service level agreements, unauthorized access to applications, regulatory fines and data loss.
Our latest research, "The Life and Times of Cybersecurity Professionals Volume VI, 2023," found the biggest cybersecurity skills gaps are in application security and cloud computing security. Selecting, deploying, managing and using tools takes time, and manual, tedious processes can burn out staff. Adding more security tools that generate more alerts simply doesn't scale.
Solving problems with tool consolidation and integrations
How can organizations address this? Look for products that effectively address your top challenges while enabling your teams to work efficiently. Organizations are moving to platform approaches and tighter product integrations to pull data together to reduce the work of using multiple siloed tools.
Create effective cloud application security strategy
Consider the following key considerations for an effective cloud application security strategy:
- Collaborate with and support development. I've written previously about opportunities to incorporate security into cloud-native development processes. The first step is to talk to developers and align on goals, such as deploying secure applications, optimizing remediation workflows, etc. Then, collaborate to automate the right security processes and tools to ensure consistency across development teams. This includes testing and setting policies as guardrails, increasing developer efficiency in releasing software that is secure and tested, and remediating issues quickly when they are found in runtime.
- Use cloud service provider (CSP) security features and integrations. Each CSP is architected differently with security features and capabilities in its cloud platform, but each also provides capabilities and features to help its customers secure what they put in the cloud. Using the CSP's features or their integrations with third-party security tools can optimize efficiency compared to needing multiple point tools from separate vendors.
- Focus on gaining context for efficiency for rapid remediation and faster response. A lot of elements scale rapidly with modern software development, including access and permissions, APIs, infrastructure as code and open source software. While these are valuable tools for faster development, they add risk and attack surfaces that need to be addressed. It can be tempting to add more tools in these areas, but if they all generate alerts, separate reports or dashboards, it will take manual work to review their output, and you won't be able to remediate issues in time to avoid incidents. Look for products that can give you context to prioritize what has the highest impact on reducing risk or that can help you rapidly respond to threats and attacks.
Stop the acronym madness
How often do you see new acronyms and have to look them up? And what is included in each category when many seem to overlap? Here are some of the acronyms that you may hear about:
- Static application security testing (SAST).
- Dynamic application security testing (DAST) in application security.
- Interactive application security testing (IAST).
- Software composition analysis (SCA).
- Software bill of materials (SBOM).
- Cloud infrastructure entitlement management (CIEM).
- Application security orchestration and correlation (ASOC).
- Unified vulnerability management (UVM).
- Cloud security posture management (CSPM).
- Data security posture management (DSPM).
- Application security posture management (ASPM).
- Cloud detection and response (CDR).
- Identity threat detection and response (ITDR).
- Network detection and response (NDR).
- Managed detection and response (MDR).
- Extended detection and response (XDR).
- Endpoint detection and response (EDR).
- Cloud-native application protection platform (CNAPP).
- Web application and API protection (WAAP).
- Attack path analysis (APA).
Stop the acronym madness. Instead of building a security strategy around shopping with a list of acronyms or categories, look for tool consolidation and integrations to efficiently solve the problems.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.