Ermetic released the findings of a research study conducted by Osterman Research on the cloud security maturity level of organizations in North America. The survey found that 84% of respondents were at an entry level (one or two) in terms of their cloud security capabilities and only 16% ranked at the top two levels. Meanwhile, 80% of companies reported they lack a dedicated security team responsible for protecting cloud resources from threats. The survey also revealed the top five priorities that all highly mature companies have in common when it comes to cloud security.

Osterman Research surveyed 326 organizations in North America with 500 or more employees and who spend a minimum of $1 million or more each year on cloud infrastructure to establish an industry baseline against the Ermetic Cloud Security Model. The model was designed to provide organizations with a lightweight framework for determining their maturity level (1 - Ad Hoc, 2- Opportunistic, 3- Repeatable, 4- Automated & Integrated) across multiple domains, while allowing them to develop a specific, actionable roadmap for advancing their capabilities.

"One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed," said Michael Sampson, senior analyst for Osterman Research and author of the report. "Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities."

Other Report Highlights

• Demonstrable ROI: 42% of companies investing more than 50 hours per week on cloud security are achieving the highest levels of maturity (Levels 3 and 4)
• Bigger not better: Only 7% of companies with more than 10,000 employees were at level three or four in terms of maturity, compared with 18% for companies with between 2,500 and 9,999 employees, and 24% for companies with 500 to 2,499 employees
• Overall, maturity is low: 84% of companies were at level one or two (41.5% Ad Hoc and 42.5% Opportunistic) and only 16% at level three or four (11.1% Repeatable and 4.9% Automated & Integrated)
• More clouds doesn't equal more maturity: the percentage of companies that ranked at the highest levels of maturity (3 & 4) decreased with multicloud usage. For example, the number of organizations achieving Repeatable or Automated & Integrated security capabilities dropped nearly 50% when going from one (10%) to three (6%) cloud platforms
• Shared blindspot: 81% of organizations lack full visibility into all resources that are directly accessible from the Internet

"This survey makes two things very clear. Without the right tools, spending lots of time and resources on cloud security will not necessarily make you more secure," said Shai Morag, CEO of Ermetic. "And, by focusing on the right priorities you can achieve a very high level of security maturity regardless of your organization's size."

Five Habits of Highly Mature Companies
Organizations that reported focusing on the five following security priorities achieved the highest levels (3 or 4) of maturity:

1. Detecting general cloud misconfigurations (e.g., unencrypted resources, MFA)
2. Achieving the ability to track and investigate activities performed by human users and applications/service accounts across the cloud infrastructure
3. Establishing Just-in-Time (JIT) access for developers / DevOps / Cloud operations teams to cloud infrastructure environments
4. Evaluating and reporting on alignment with security best practices (e.g., AWS well-architected, CIS) and compliance standards (e.g., NIST, ISO, SOC2, PCI-DSS)
5. Achieving least-privilege for identities in the cloud (both human identities and service accounts)

Resources
A full copy of the survey findings is available here.