Orca Security has released the 2023 & 2024 Cloud Security Strategies Report, which reveals key insights from senior executives about the state of cloud security, including the top objectives, challenges, and strategies.
Orca commissioned the independent firm Gatepoint Research to conduct a survey of 200 executives between January 2023 and February 2024, which they compiled and analyzed in the report. The study focused exclusively on senior decision-makers, with most belonging to the C-suite or holding the title of VP (49%), followed by directors (31%), and senior or department managers (20%).
In this blog, we detail the main findings from the study and discuss the top takeaways.
Executive Summary
Based on the survey, the report offers the following conclusions:
- Most organizations depend on the public cloud. Most respondents maintain a hybrid cloud strategy and operate up to half of their environment in the public cloud.
- Resource constraints headline as the top challenge. Executives identified cost, complexity, and lack of skilled resources as their top challenges—in that order.
- Technology is a key enabler of the top objectives. Executives identified improving infrastructure as their top objective, followed by increasing efficiency and maintaining compliance.
- Most organizations use five or more security tools. Meanwhile, they also report wanting a security solution that can provide full visibility into their cloud estate, automate risk mitigation, and simplify security tools.
“The report underlines what we are seeing in the field, namely that resource constraints in the form of budget and skills are top challenges to cloud security. While on average organizations are purchasing five or more security tools, this does not seem to be providing the much needed visibility and is only adding complexity by having to manage disparate tools. The way forward is a consolidated cloud security platform that provides 100% visibility across cloud estates, is low maintenance, and offers built-in generative AI capabilities to simplify tasks, lower required skill thresholds, and speed up remediation.”
Gil Geron, CEO and Co-founder of Orca Security
Key cloud security strategy findings
Below are the most important takeaways from the study:
- Cloud strategies: 53% of respondents use a hybrid cloud approach, and 64% operate up to half of their environment in the public cloud.
- Cloud security objectives: 28% of respondents identify improving infrastructure as their top cloud security objective, followed by increasing efficiency (25%), maintaining compliance (25%), scaling the security team (13%), and securing supply chains (6%).
- Cloud security challenges: 59% of respondents say budget/cost is the top roadblock to achieving their cloud security objectives, followed by complexity (47%) and lack of skilled resources (41%).
- Perceived changes that will dramatically improve cloud security posture: 47% of respondents say sharpening/increasing visibility across the cloud environment would drive the most improvement, followed by threat prioritization/automate risk mitigation (39%), simplify my cloud security tools (37%), reduce overhead costs (33%), and increase my security team headcount (21%).
- Cloud risks: 57% of respondents identified misconfigurations as their top cloud security risk, followed by unauthorized access (50%), data breaches (35%), insecure APIs (31%), lack of visibility (29%), and malicious insiders (12%).
- Cloud security tools: 55% of respondents say their organization uses at least five security tools, while only 10% use one tool.
Cloud security technology: a pain point or force multiplier?
Cloud security technology is both an impediment and enabler to organizations. That’s one of the underlying themes of the new report, with technology looming among executives’ top challenges and objectives.
As revealed in the report’s findings, most organizations rely on five or more security tools. Coupled with what executives see as the necessary changes to strengthen their cloud security posture—greater cloud visibility, improved threat prioritization/automated risk mitigation, simplified cloud security tools, reduced overhead spend—suggests they remain hampered by the use of multiple disparate solutions, which can have a compounding effect on cost and resource constraints. Siloed technology tends to increase licensing costs, security blind spots, alert fatigue, workflow inefficiencies, and reduced productivity. Each side effect can force security teams to do more with less time, capacity, and overall effectiveness.
Meanwhile, executives report objectives that advanced cloud security technology can readily achieve—that is, improved infrastructure, increased efficiency, and sustained compliance.
How a consolidated CNAPP improves cloud security
These findings point to an important opportunity for organizations to improve their cloud security posture and address the identified challenges. Cloud-native application protection platforms (CNAPPs) provide organizations with comprehensive cloud visibility and capabilities for managing cloud risks and compliance issues from a single pane of glass. CNAPPs consolidate traditional point solutions and address the main challenges and objectives identified in the report.
Let’s see how.
#1. Reduce cost
CNAPPs consolidate the cloud security capabilities of many point solutions, including cloud security posture management (CSPM), cloud workload protection (CWPP), cloud infrastructure entitlements management (CIEM), and more. By bringing this together in one integrated platform, CNAPPs can lower licensing costs, save time, and increase efficiency. This can boost ROI and alleviate budgetary constraints.
For example, the independent research firm TAG Cyber validated that Orca’s CNAPP generates a 207% ROI for customers. This comes as a result of lower licensing costs, time-savings, enhanced efficiency, and a reduction in cloud waste. In terms of the latter, Orca offers automated frameworks for discovering and retiring neglected cloud assets to minimize cloud spend.
#2. Address complexity and skill shortages
By offering comprehensive cloud security from development to production from a single platform, CNAPPs greatly simplify the complexity of learning, using, and maintaining multiple security tools. Additionally, some CNAPPs also leverage AI to simplify cloud security tasks and enhance productivity, greatly reducing required thresholds and alleviating skill shortages.
For example, Orca offers AI-driven security for search and remediation. AI-driven search enables users to run a search using plain language, eliminating the need to learn a unique query language. AI-driven remediation allows teams to instantly generate tailored remediation instructions and code for their unique workflows and IaC provisioning tools, significantly speeding up time to remediation (MTTR).
#3. Fast deployment and low maintenance
As mentioned, CNAPPsconsolidate disparate tools into one unified platform, eliminating tool sprawl as well as the inherent blind spots that come from using disparate solutions. At the same time, CNAPPs that offer an agentless-first approach can ensure full coverage and visibility into the cloud estate—and do so with practically zero deployment effort and maintenance.
The Orca Cloud Security Platform offers an agentless-first solution that requires only minutes to deploy and no effort to maintain. Meanwhile, agent-only solutions require time-consuming and complicated configurations, deployments, and ongoing maintenance, while only covering up to 50-70% of cloud assets due to partial deployment.
#4. Increase efficiency
For a lot of the reasons CNAPPs reduce complexity and skills shortages, they also increase efficiency. Yet another boost comes from a CNAPP’s ability to provide security teams with prioritized alerts, greatly reducing investigation times and making remediation efforts more impactful. By offering full coverage and visibility, some CNAPPs can diagnose all the contextual factors that make a risk more or less dangerous and prioritize security team’s efforts accordingly. CNAPPs also cover all types of cloud security risks, including misconfigurations, vulnerabilities, malware, lateral movement, data risk, API risk, active breaches, which allows them to understand ‘the bigger picture’.
To illustrate, Orca prioritizes alerts based on multiple contextual factors, including the presence of sensitive data, exposure to the internet, CVVS and EPSS scores, exploitability, and more. Orca also performs Attack Path Analysis, which diagnoses the interconnected risks between cloud assets that hackers can exploit to endanger crown jewels. Both prioritized alerts and attack paths enable security teams to focus on the 1% of threats that present the greatest risk, allowing them to save time, enhance efficacy, and eliminate alert fatigue.
#5. Simplify compliance
Complying with regulatory frameworks and industry standards proves time- and resource-consuming, both in the short- and long-term. CNAPPs can ease compliance efforts, not only by helping organizations meet their security objectives, but also by automatically mapping risks to compliance requirements for easier identification, remediation, tracking, and reporting.
To illustrate, Orca’s multi-cloud compliance solution offers more than 125 out-of-the-box frameworks that organizations can choose from or customize to fit their bespoke needs. Once chosen, Orca automatically scores your current compliance status and maps alerts to every requirement needing attention. It also generates ad hoc or scheduled reports across a number of formats.
About the Orca Cloud Security Platform
The Orca Cloud Security Platform provides agentless-first cloud security that identifies, prioritizes, and remediates security risks and compliance issues across AWS, Azure, Google Cloud, Kubernetes, and other cloud providers. Ensuring 100% coverage of your cloud estate, Orca’s patented SideScanning™ technology detects vulnerabilities, misconfigurations, malware, lateral movement, data risks, API risks, AI risks, active breaches, and more. Unlike other siloed solutions or traditional technology, the Orca platform offers a single, unified platform to fully contextualize and prioritize risks across multi-cloud environments.
Orca is trusted by many of today’s leading innovators, including SAP, BeyondTrust, Lemonade, Autodesk, Wiley, Unity, and Gannett. Read our customer success stories or book a demo to see how Orca can supercharge your cloud security.