Netskope just completed some interesting new research with Doug Cahill, a senior cybersecurity analyst at Enterprise Strategy Group (ESG). We partnered with Doug and the ESG team to conduct this research in order to better understand the business ramifications of different approaches to cloud security.
Our hypothesis was that “cloud forward” organizations – those who adopt cloud services more and who are also more open to user-led services (aka “shadow IT”) – would experience different business outcomes than other organizations. As you can see in the new report entitled “The Maturity of Cloud Application Security Strategies,” that hypothesis was correct. “Cloud forward” organizations do experience more positive business outcomes.
This new research is based on surveys of more than 350 worldwide IT and cybersecurity professionals who are involved in their organization’s cloud security program. These surveys were conducted in the first half of 2018, across a wide range of industries and with 88% of respondents coming from larger organizations with more than 1,000 employees.
Stages of Cloud Security Maturity
The research report establishes three different stages of cloud security maturity based on an organization’s approach to cloud security:
- Stage 1. “Discoverers,” who primarily want to discover and assess user-led cloud services, typically with the goal of blocking them or redirecting users to an approved, IT-delivered application.
- Stage 2. “Controllers,” who are primarily focused on securing the rollout of IT-driven cloud services such as Office 365, G Suite, Box, among others. The focus of this group is to prevent data loss and guard against threats for a limited set of cloud applications.
- Stage 3. “Enablers,” who are well aware of user-led cloud services but understand the business need for those services. Seeking a balance between productivity and security, this group engages their users to understand their needs and permits user-led cloud services while applying non-intrusive controls to enable them safely.
Our research found that 48% of respondents were categorized as discoverers, 31% as controllers, and 21% as enablers.
At Netskope, we’ve seen these different approaches to cloud security with our customers since we entered the market five years ago. Not surprisingly, in the early days the “discover” and “control” approaches were the most common ones that we saw, but over the years we’ve seen more and more of our customers move to the “enable” approach. In many cases, early attempts to “discover and block” user-led cloud services were difficult to maintain, as the business benefits of these services were undeniable.
Varying Business Outcomes by Stage
This research report goes on to help quantify the positive business benefits that mature organizations realize by enabling user-led cloud services. Here are a few of the business benefits highlighted in the report:
- Reacting faster to changing market conditions. Organizations that take advantage of the agility of cloud services to help them innovate and expedite delivery of new products and services feel that they have an edge over their competition. In this report, Stage 3 organizations – “Enablers” – were almost twice as likely to report that they are “always or often ahead of our competition” in their ability to react to changing market conditions.
- Maximizing user productivity with fast time-to-value. “Enablers” were also more likely than other groups to report meeting or beating their application deployment schedules and nearly half of them reported that user-led cloud applications had a “strong positive impact” on user productivity.
- Delivering strong revenue results. Finally, “Enablers” were more likely to report that their organizations were exceeding their revenue expectations, possibly linked to the previous two benefits described above.
I can’t say that these results surprised us. Our intuition has always been that “cloud forward” organizations were more agile and productive. And with many successful, publicly-traded companies included in our growing list of customers, we know first hand that many “cloud forward” organizations experience strong financial performance.
If you’d like a copy of this new report, you can find it here. And if you’re wondering where your organization fits on the cloud security maturity curve, we invite you to take this self-assessment. It will help you see where you stand relative to your peers and to get recommendations on how to take a more mature approach to cloud security in your own organization.