A large majority of companies are only at an entry level in terms of their cloud security capabilities according to a new study.
The research, carried out for cloud infrastructure security company Ermetic by Osterman Research, surveyed 326 organizations in North America with 500 or more employees and who spend a minimum of $1 million or more each year on cloud infrastructure.
The aim is to establish an industry baseline against the Ermetic Cloud Security Model. The model has four levels:
1 — Ad Hoc
2 — Opportunistic
3 — Repeatable
4 — Automated and Integrated.
“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” says Michael Sampson, senior analyst for Osterman Research and author of the report. “Less than 10 percent of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20 percent of smaller enterprises have achieved repeatable or automated and integrated cloud security capabilities.”
Among other findings 42 percent of companies investing more than 50 hours per week on cloud security are achieving the highest levels of maturity (levels three and four). It also shows that bigger is not necessarily better, only seven percent of companies with more than 10,000 employees are at level three or four in terms of maturity, compared with 18 percent for companies with between 2,500 and 9,999 employees, and 24 percent for companies with 500 to 2,499 employees.
More clouds doesn’t equal more maturity either, the percentage of companies that ranked at the highest levels of maturity decreases with multicloud usage. For example, the number of organizations achieving level three and four capabilities drops nearly 50 percent when going from one to three cloud platforms.
“This survey makes two things very clear. Without the right tools, spending lots of time and resources on cloud security will not necessarily make you more secure,” says Shai Morag, CEO of Ermetic. “And, by focusing on the right priorities you can achieve a very high level of security maturity regardless of your organization’s size.”
The full report is available from the Ermetic site.