Security continues to lag behind cloud app dev cycles

Enterprise Strategy Group senior analyst Melinda Marks and I recently completed a research project on cloud threat detection and response. We covered this topic from multiple angles because Melinda's expertise features all things cloud security while my forte is security operations.

To understand cloud threat detection and response, you first need a general sense of how organizations are adopting cloud computing. No surprises here: Our research found 83% of organizations have lifted and shifted workloads to the cloud, 69% use three or more cloud service providers and 25% said at least 30% of their production workloads run on public infrastructure. Additionally, 67% of respondents said at least 30% of their workloads will run on public cloud infrastructure in the next 24 months.

Beyond lifting and shifting existing workloads, organizations are also aggressively deploying cloud-native applications. In fact, 80% of organizations have adopted a DevOps model, and a whopping 75% push new software builds to production at least once per week.

All this cloud development is a lot for security teams to handle -- especially the pace of new software builds. We asked 393 enterprise cloud security professionals from organizations with more than 1,000 employees to identify their biggest challenges caused by rapidly accelerating software development cycles. They reported the following:

• 35% said the security team lacks visibility and control within the development process.
• 34% said software is often released without going through security checks or testing.
• 33% said they lack consistent security processes across different development teams.
• 33% said developers are skipping security processes to meet deadlines.
• 31% said new builds are deployed to production with misconfigurations, vulnerabilities and other security issues.

Holy cyber-risk, Batman. These issues indicate a big disconnect between security and cloud development teams. Recognizing that CISOs can't put the brakes on cloud development and don't want the nickname "Dr. No," what can be done to rectify this unacceptable situation?

First, CISOs need to capture metrics that demonstrate how risky this behavior is and then communicate these metrics with executives and the board. Our research found that 99% of the organizations surveyed have experienced at least one cyber attack specifically related to cloud-hosted applications and infrastructure in the past year, and that misconfigurations, software vulnerabilities and privileged account misuse were the primary initial attack vectors. All these attack vectors can be traced back to insecure development processes and poor cloud application hygiene.

Once executives and the board understand the risks, they'll likely ask for an action plan for cloud application cyber-risk mitigation. As part of this plan, CISOs should do the following:

• Train developers on security. Our research indicated a confrontational situation between security and software development. This is bad for everyone. To alleviate this situation, CISOs should push for continuous security training for software development teams so they understand the risks as well as risk mitigation and compensating controls.
• Offer financial incentives for security improvement. People tend to respond better to carrots than sticks. Try offering small incentives to security and development teams based on metric improvements. Make it a competition to add some spice to the mix.
• Create a secure software development framework. There are plenty of models available, such as the NIST Secure Software Development Framework. Assess several frameworks and choose the guidelines that best fit business and security needs.
• Accelerate DevSecOps efforts. Our research indicated that while many organizations are establishing DevSecOps groups and processes, they trail those of DevOps teams. It's time to play catch up. Get everyone speaking the same language and push for automation and tools integration.
• Establish realistic security milestones. In other words, nothing gets pushed to production unless it passes specific security tests, period.

With cloud computing continually dominating the IT landscape, security needs to be part of the development process from the planning stage onward. There's far too much at risk to wait any longer to make this happen.

Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.