Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Download Presentations from the CSA AI Summit at RSAC Now

How Confident Are You in Your Security Posture?

Home
Industry Insights
How Confident Are You in Your Security Posture?

Blog Article Published: 01/30/2023

Originally published by Contino.

Written by Marcus Maxwell, Security Practice Lead, Contino.

Comparison might be the thief of joy, but it can also be a vital sign that you’re on the right (or wrong) track.

Our customers often ask us how their security postures compare to those of other organisations. To help us give a more comprehensive answer, we decided to commission a survey of more than 350 people working in senior leadership roles in the enterprise.

From confidence levels to security practices, The State of Cloud Security in the Enterprise report is a brilliant conversation starter and will give you much food for thought that, we hope, will help you take important steps to straightening up your security posture where needed.

Misplaced confidence?

One of the most interesting findings was that 73% of respondents believe their security postures are better than most.

If you’re as confident as our respondents, we really hope it’s an indication that everything is tip-top in your organisation! However, when confidence isn’t rooted in hard facts, it might actually mean you’re more at risk and vulnerable to outsider (and insider) threats.

In the same way that people who think they’re bad drivers might actually be more cautious on the roads while confident drivers might be more likely to speed, it’s important to make sure that high confidence in your security posture isn’t a sign of a gung-ho attitude and unnecessary risk-taking.

Signs of Good Security Posture

To make sure confidence is well-founded, we need reference points for what good looks like. Here are our top three signs that you’re a high performer when it comes to cloud security; if you don’t have all three, read our new report on The State of Cloud Security in the Enterprise for insights into what you could be doing better.

1. Smooth Route to Live

If you have a smooth route to go-live, chances are security isn’t a blocker, but rather an accelerator for delivery.

This might mean you have:

  • A well-defined release process that specifies when particular security aspects have to be completed, with examples on how to do them
  • Guardrails built-in, meaning that as long as teams operate inside the constraints of those guardrails, they can launch fast with the confidence they meet most requirements for go-live
2. Measure Everything

If you don’t measure, you can’t know if you’re improving. While it’s true that any metrics in the organisation will be gamed, it’s still important to measure things like:

  • How quickly a team cam meet their cloud control requirements
  • How long security operations centre (SOC) spends investigating a potential breach of a Kubernetes cluster, for example
  • Mean-time to detect, respond, correct (MTTD/MTTR/MTTC)
  • How long it takes to get through all the security gates
  • Which steps in CICD take the longest
3. Happy Teams

One of the most important things for security teams in an organisation is to ensure that teams are happy with the security situation in the business. Security is often considered to be—or at least joked about being—a main blocker, which results in teams:

  1. Looking for workarounds, because the “official” way takes ages to do anything, and can which lead to a ton of shadow IT
  2. Not engaging with the security team, which means you don’t get feedback and can’t improve

It’s crucial that security teams try to engage with multiple teams and understand their pain points, delivery pressures and the business requirements. Empathy goes a long way!

For more insights and figures from our 2022 survey, check out our report on the State of Cloud Security in the Enterprise.

About the Author

Marcus Maxwell is a Security Practice Lead at Contino. He helps large enterprises with their security requirements and aspirations. This ranges from building an internal DevSecOps culture that allows them to ship products quickly and securely, to collaborating with internal IT/Security/Risk teams to uplift their cloud-native capabilities while meeting controls and compliance requirements.

Enhancing cloud security strategySurveys

Share this content on your favorite social network today!

Latest from CSA
Confronting Shadow Access Risks: Zero Trust and AI
New Mapping Between CCM and NIST CSF v2.0
CSA's CCZT Wins Global InfoSec Award
Trending This Week
#1 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
#2 The 5 SOC 2 Trust Services: Criteria Explained
#3 Cloud Security Threats to Watch Out for in 2023
#4 Zero Trust and AI: Better Together
#5 The Top Cloud Computing Risk Treatment Options
Enhance your cloud security skills with CSA's online training options.
Related Articles:
CSA Community Spotlight: Educating the Security Industry with CISO Rick Doten

Published: 05/08/2024

Navigating Legacy Infrastructure: A CISO’s Strategy for Success

Published: 05/08/2024

Resource Constraints in Kubernetes and Security

Published: 05/06/2024

Business Risks Explored: Practical Insights for Resilience

Published: 05/03/2024