How Confident Are You in Your Security Posture?
Published 01/30/2023
Originally published by Contino.
Written by Marcus Maxwell, Security Practice Lead, Contino.
Comparison might be the thief of joy, but it can also be a vital sign that you’re on the right (or wrong) track.
Our customers often ask us how their security postures compare to those of other organisations. To help us give a more comprehensive answer, we decided to commission a survey of more than 350 people working in senior leadership roles in the enterprise.
From confidence levels to security practices, The State of Cloud Security in the Enterprise report is a brilliant conversation starter and will give you much food for thought that, we hope, will help you take important steps to straightening up your security posture where needed.
Misplaced confidence?
One of the most interesting findings was that 73% of respondents believe their security postures are better than most.
If you’re as confident as our respondents, we really hope it’s an indication that everything is tip-top in your organisation! However, when confidence isn’t rooted in hard facts, it might actually mean you’re more at risk and vulnerable to outsider (and insider) threats.
In the same way that people who think they’re bad drivers might actually be more cautious on the roads while confident drivers might be more likely to speed, it’s important to make sure that high confidence in your security posture isn’t a sign of a gung-ho attitude and unnecessary risk-taking.
Signs of Good Security Posture
To make sure confidence is well-founded, we need reference points for what good looks like. Here are our top three signs that you’re a high performer when it comes to cloud security; if you don’t have all three, read our new report on The State of Cloud Security in the Enterprise for insights into what you could be doing better.
1. Smooth Route to Live
If you have a smooth route to go-live, chances are security isn’t a blocker, but rather an accelerator for delivery.
This might mean you have:
- A well-defined release process that specifies when particular security aspects have to be completed, with examples on how to do them
- Guardrails built-in, meaning that as long as teams operate inside the constraints of those guardrails, they can launch fast with the confidence they meet most requirements for go-live
2. Measure Everything
If you don’t measure, you can’t know if you’re improving. While it’s true that any metrics in the organisation will be gamed, it’s still important to measure things like:
- How quickly a team cam meet their cloud control requirements
- How long security operations centre (SOC) spends investigating a potential breach of a Kubernetes cluster, for example
- Mean-time to detect, respond, correct (MTTD/MTTR/MTTC)
- How long it takes to get through all the security gates
- Which steps in CICD take the longest
3. Happy Teams
One of the most important things for security teams in an organisation is to ensure that teams are happy with the security situation in the business. Security is often considered to be—or at least joked about being—a main blocker, which results in teams:
- Looking for workarounds, because the “official” way takes ages to do anything, and can which lead to a ton of shadow IT
- Not engaging with the security team, which means you don’t get feedback and can’t improve
It’s crucial that security teams try to engage with multiple teams and understand their pain points, delivery pressures and the business requirements. Empathy goes a long way!
For more insights and figures from our 2022 survey, check out our report on the State of Cloud Security in the Enterprise.
About the Author
Marcus Maxwell is a Security Practice Lead at Contino. He helps large enterprises with their security requirements and aspirations. This ranges from building an internal DevSecOps culture that allows them to ship products quickly and securely, to collaborating with internal IT/Security/Risk teams to uplift their cloud-native capabilities while meeting controls and compliance requirements.
Related Articles:
Zero-Code Cloud: Building Secure, Automated Infrastructure Without Writing a Line
Published: 12/16/2024
Achieving Cyber Resilience with Managed Detection and Response
Published: 12/13/2024