Companies are struggling to keep up with cloud security, with 55% of security professionals believing at least half their time is wasted, in part because security event data is of uneven quality, which leads to false positives, according to a new report.
According to the report by cloud automation firm Lacework, based on a survey of 500 security practitioners and 200 executives, the vast majority of respondents regularly have to deal with at least a 20% false-positive rate and a third deal with a 50% false-positive rate. The analysts are not alone: Only a third of developers believe that the time spent on security is meaningful, according to the survey.
The outlook of security analysts should be a sign for organizations that they need to change the way they're securing cloud infrastructure and services, says Mark Nunnikhoven, distinguished cloud strategist at Lacework.
"There is always security work to be done, so if people are doing work that they are finding not meaningful, we need to get the right information to them at the right time so they can do security," he says. "There is a big disconnect between how organizations view the cloud, how they are using the cloud to try to move forward and innovate faster, and how security is struggling to keep up with traditional approaches."
COVID to Cloud
Following the start of the coronavirus pandemic, organizations quickly moved operations to the cloud to support their now-distributed workforce. But after two years, companies still have a way to go before moving all of their operations to the cloud, as less than half of respondents (46%) to the Lacework survey considered their most important applications to be cloud-native. However, security professionals see cloud as the future, with almost all believing that every new digital workload will be deployed to a cloud-native platform in 2025.
Yet the shortage of meaningful data from the cloud means that companies lack visibility into their cloud services, infrastructure, and workloads. Gaining that visibility in real-time security, so-called "observability," will be a key challenge for cloud-native companies, says Jeff Pollard, vice president and principal analyst at Forrester Research, a market research firm.
"Cloud apps — especially those that aren’t security related — likely won’t have the type of security details" that are needed, he says. "And that means our existing management and monitoring tools within security operations lack the ability to detect potential security issues beyond rudimentary alerts around authentication, for example."
The shortage in skilled security professionals continues to haunt the security industry, with cloud and application security skills the most in-demand. In 2020, employment-analytics firm Burning Glass Technologies predicted the demand for cloud security professionals would grow by 115% over five years, and fetch a premium of $15,000, the highest premium for security skills. Only professionals with application security experience were expected to be in greater demand, with a five-year growth rate of 164%, according to the Burning Glass analysis.
The lack of security professionals meeting the specific cloud-security needs of companies is not necessarily a problem, but an opportunity, says Lacework's Nunnikhoven.
"The gap seems to be getting bigger every year, with people unable to find people with the right security skills," he says. "I think that it is a problem in the short term, but it might be a blessing in the long term because the lack of a ready pool of capable cybersecurity folks means that we have to rethink how we approach cloud security."
Most companies are looking for ways to augment their cloud-security operation with machine learning. More than three-quarters of respondents agreed that machine learning has practical applications in security, while less than a quarter dismissed it as a buzzword.
Nunnikhoven argues that both automation and machine-learning models need to be better applied to reduce the workload for security professionals.
"There is a problem with a quality of the information that we are providing to people," he says. "We do not automate nearly enough."
However, automating processes without due diligence or considering the potential impact is a recipe for problems, says Forrester's Pollard. Security operations rely on analytical and investigative steps, and while technology can augment those steps, it cannot entirely replace them, he says.
"Where automation can and usually does help is in the tactical, repeatable steps of the analysis and investigation phases," Pollard says. "These are tactical, repeatable steps that are unlikely to disrupt operations if mistakes are made [and] that analysts often have to wait on to do themselves or switch into multiple interfaces" or systems.