Organizations must make cybersecurity fundamental to their culture rather than taking a hodge-podge approach to data security, misconfigured services and new cloud security models, a global survey of 750 IT security professionals found.
Four main themes emerged from the Oracle and KPMG Cloud Threat Report 2020 study of IT professionals in private- and public-sector organizations in North America, Western Europe and Asia-Pacific:
- Data security keeps IT pros awake at night.
- Legacy data security models leave IT pros repeating futile tasks.
- Shifting responsibilities causes more confusion and security breaches.
- Security-first models require collaboration.
Here are the study’s highlights:
- 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
- Organizations that discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
- Only 8 percent of IT security executives fully understand the cloud shared responsibility security model.
- 87 percent of IT professionals see artificial intelligence/machine learning capabilities as a "must-have" for new security purchases.
"In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models,” said Tony Buffomante, KPMG cyber security services global co-leader and U.S. leader. “This is exposing existing vulnerabilities and creating new risks."
Here’s more detail...
On data security. IT professionals are more concerned about securing their company's data than cyber locking down their own home, a finding that Oracle and KPMG said points to the fear and trust issues IT professionals experience. This is what the study found:
- 80 percent worry that their cloud service providers will become competitors in their core markets.
- 92 percent do not trust their organization is well prepared to secure public cloud services.
- 80 percent believe that recent data breaches experienced by other businesses have increased their organization's focus on securing data moving forward.
On legacy data.
In many cases, IT professionals mix and match different cybersecurity products to address data security but systems often end up misconfigured. Here’s what the study found:
- 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
- Organizations that discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year, including: over-privileged accounts (37 percent); exposed web servers and other types of server workloads (35 percent); lack of multi-factor authentication for access to key services (33 percent).
On shared responsibilities.
As cloud consumption increases, shared responsibility security models are causing confusion among IT pros and cloud service providers. Here’s what the study found:
- Nearly 90 percent of companies are using software-as-a-service (SaaS) and 76 percent are using infrastructure-as-a-service (IaaS); 50 percent expect to move all their data to the cloud in the next two years.
- Only 8 percent of IT security executives said they fully understand the shared responsibility security model.
- 70 percent believe too many specialized tools are required to secure their public cloud footprint.
- 75 percent have experienced data loss from a cloud service more than once.
On security-first models.
To build a security-first culture, cloud service providers and IT teams must collaborate on hiring, training, retaining skilled IT security pros, and improving processes and technologies. Here’s the study’s findings:
- 69 percent of organizations said their CISO gets involved in public cloud projects only after a cybersecurity incident has occurred.
- 73 percent of organizations have or plan to hire a CISO with more cloud security skills.
- 53 percent of organizations have added a new role called the Business Information Security Officer (BISO) to collaborate with the CISO.
- 88 percent of IT professionals believe that within the next three years, the majority of their cloud will use intelligent and automated patching and updating.
- 87 percent of IT professionals see AI/ML capabilities as a "must-have" for new security purchases in order to better protect against fraud, malware and misconfigurations.
"Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind," said Steve Daheb, Oracle Cloud senior vice president.
