ESG recently surveyed 371 IT and cybersecurity professionals with responsibility for cloud programs at organizations in North America to get their input on how their data protection and security standards are evolving due to the composition of their cloud applications.  To learn more and understand the results found from this study, VMblog spoke with Doug Dooley, chief operating officer at Data Theorem.

VMblog:  Industry analyst firm Enterprise Strategy Group (ESG) recently conducted an independent study.  What does the study cover and why was this data important to discover?

Doug Dooley:  ESG completed this study to discover the composition of cloud-native applications, their challenges, and future priorities for securing cloud-native applications. Those participating in the study were from organizations that are mature cloud users in terms of public cloud services and/or container usage across a wide range of industries, and it was important to see what organizations are doing when it comes to securing their cloud-native apps, particularly with DevSecOps. This is because fundamental changes to application architectures and the infrastructure platforms that host them are antiquating existing cybersecurity technologies and challenging traditional approaches to protecting business-critical workloads.

VMblog:  Before we jump into highlights of ESG's study, for those readers who are interested in much more of the results than we can cover today, where can they go to access the results for themselves?

Dooley:  Yes, that is a good idea. Readers can access the full set of results we have available at https://www.datatheorem.com/resources/reports/esg-security-for-devops.

VMblog:  What interested you the most about the findings and why?

Dooley:  New applications and APIs are seeing explosive growth in the public cloud and mainstream acceptance appears to be accelerating. The ESG report results surprised us on the breadth and depth of enterprise adoption of cloud-native features only found in public cloud.

Dooley:  The most important findings were related to API security, serverless adoption, and the state of security automation for DevOps. For example, more than half of respondents indicated their organization's software developers are already using serverless functions to some extent, with another 44 percent either evaluating or planning to start using serverless within the next two years.

VMblog: What are some of the biggest revelations that were uncovered by this?

Dooley:  The biggest revelation was revealed in the numbers on serverless application adoption.  DevOps teams in the enterprise are building globally scalable apps simpler and cheaper but securing them has become more challenging. Security automation for DevOps or DevSecOps is another area that has shown some adoption but only the top 8 percent of enterprise organizations are using it to secure the majority of their cloud-native applications today. That number is far too small. The security industry will need to address this lack of security automation as more companies build apps and API services natively in the cloud.

VMblog:  What results surprised you the most?

Dooley:  We were surprised that API security was the highest ranked category for current or projected incremental spend. We hear so much about many of the other areas of security, such as malware prevention, data encryption, CSPM, CWPP, and container security. However, it was surprising to see API security as the clear #1 area where enterprises are focusing their energy and investments due to the enormity of data passing through APIs in the public cloud.

VMblog: How does the insight provided by the respondents underscore what your company offers?

Dooley:  Our customers have been telling us for the past few years that API-driven microservices, serverless applications, modern web (SPA), and mobile applications are the bulk of their cloud-native application development growth. These areas are where Data Theorem has been investing in building our differentiated AppSec product portfolio to align with our customers' strategic direction in the cloud. The ESG report encourages us that we remain closely aligned with our enterprise customers and gives us an added sense of urgency because so many customers will need our help over the coming years.

VMblog: Did the ESG study reveal anything that impacts your market strategy?

Dooley:  It's clear no single cloud provider can deliver the breadth of security controls necessary for most DevOps teams. And most DevOps teams have two or more public cloud providers for their business-critical apps. The ESG report highlights that we will need to deepen our partnerships with many of the top cloud providers to build better security capabilities and controls that work across multi-cloud environments that are increasingly mainstream.

VMblog: What are the top three takeaways you want readers to understand from ESG's results?

Dooley:  The top three takeaways are: (a) API security in the cloud, (b) DevSecOps automation, and (c) serverless adoption. API security is arguably the #1 area of incremental investment for DevOps to reduce the impact of a massive data breach. Automation has been a common practice that enables DevOps speed and scale. Security teams need to take advantage of similar automation techniques to keep pace with those application teams using CI/CD and DevOps practices. Serverless adoption is growing faster than most would have expected. The majority of companies are already using it today and it will significantly grow over the next 24 months. The architecture of serverless applications is so new and innovative that most traditional security tools do not interoperate due to no operating system (OS) nor container access. Serverless apps require a new approach to conduct security analysis and protection.

##