Security Budgeting Considerations for Containers

When it comes to managing SecOps, you must consider all the risks at hand, as well as how you can address them. Many of today’s SecOps teams are using containers for development, but this also opens organizations up to a variety of new risk factors.

To mitigate these risk factors, organizations need to ramp up their security budgets. After all, it’s expensive to hire the best SecOps professionals and purchase best-in-class tools to manage cybersecurity.

We recently published The State of Security Budgeting in 2018, which details the results from a survey of 300 technical, operations, compliance, and security professionals in North America, across a variety of industries. Of the organizations that responded, 37% had cloud infrastructure workloads that were container-based. The survey results point to many important budgetary considerations, particularly when it comes to containers. Here’s what you need to know.

Overall Security Budgets Are Increasing

Currently, the average security technology budget of respondents’ organizations is $651,260.

Encouragingly, given (and perhaps in response to) the challenges faced, security technology budgets are expected to grow in two years to an average of $773,412 (representing a 19% increase over time). Organizations using containers operated under a slightly higher average budget of $688,134, which is expected to increase to $797,379 in the next two years.

It’s a promising sign that security budgets are on the rise, and that cloud workload security is the top budget priority among organizations that are using containers now and that will be using them in the next two years. In fact, 56% of these organizations agreed that even more spending is needed on cloud workload security, roughly in line with the average response. This budget prioritization is aligned with the threat risks, as attackers often look to exploit container infrastructure misconfigurations to gain access to sensitive corporate information.

One other thing was clear among all respondents: Organizations need more budget to hire security team talent. Among organizations using containers, 71% agreed that they need more staff capable of managing security products. Often a lack of experience increases security risks to organizations that are looking to quickly adopt containers, leaving a greater margin of error for attackers to exploit.

Development Teams Add Security Risks — More So If They Use Containers

Perhaps organizations are aware of their own lack of experience with containers since 92% of survey respondents using containers believe their development teams are putting their organization at risk.

These respondents are more likely to report an array of concerns, such as developers requiring access to sensitive corporate information (52% containers vs. 42% overall average) or businesses placing more importance on releasing applications that work rather than applications that are secure (43% vs. 24%).

What’s more, 80% of organizations using containers agreed that their security teams were under pressure to keep pace with development and operations, yet almost two-thirds (63%) believe that security teams can sometimes slow down the speed of their business.

This data points to environments where security, development, and operations teams are not working together as effectively as they could be, for the greater good of the business. It also suggests that security teams are not aligned with development teams, suggesting that the two need to come together to ensure that threats are proactively mitigated.

The Threats for Organizations Using Containers

The majority of practitioners in the trenches using containers (58%) reported that cloud infrastructure security was their greatest concern, followed by phishing attacks (40%), while their organization as a whole was most concerned about data breaches impacting intellectual property (51%) and breaches impacting customer PII (42%). This data shows that organizations have a more reactive mindset about security as a whole, focused on the end (breaches) rather than the means (their cause).

In other words, if organizations paid more attention to the concerns of day-to-day practitioners and implemented proactive security measures, their organizations’ infrastructure misconfigurations and vulnerabilities might be quickly addressed, decreasing their overall risk of breach. The good news is, the majority of container security budgets are going toward cloud workload security, which suggests that spending is properly aligned with the risks that practitioners see every day.

A Few Last Words…

Organizations have eagerly embraced containers because of their numerous benefits. Even so, containers introduce new threats that need to be addressed. In organizations where containers are used, security teams are even more concerned about risks, and are investing heavily in cloud infrastructure security.

Even if your team hasn’t jumped on the container bandwagon quite yet, check out the full survey report to see how your security budgeting stacks up in comparison to other professionals across company sizes and industries. And if you would like to benchmark your organization’s cloud infrastructure security practices, feel free to take our Cloud SecOps Maturity Assessment.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Dan Kirsch. Read the original post at:

Avatar photo

Dan Kirsch

Daniel (Dan) Kirsch is managing director and co-founder of Techstrong Research. Dan is a consultant, IT industry analyst and thought leader focused on how emerging technologies such as AI, machine learning and advanced analytics are impacting businesses. Dan is particularly interested in how businesses use these emerging technologies to alter their approaches to information security, governance, risk and ethics. Dan provides advisory services directly to leadership at technology vendors that design and deliver security solutions to the market. He assists them in aligning their solutions with enterprise requirements. Dan is viewed as an expert in understanding security solutions and mapping them to the complex needs of businesses across industries. Prior to co-founding Techstrong Research, Dan was managing director at Hurwitz & Associates, an analyst and consulting firm. At Hurwitz & Associates Dan led research on a variety of studies and reports in the areas of data and AI, modern software development, security and multi-cloud computing. Dan earned his B.A. in Political Science from Union College in New York and a J.D. from Boston College Law School, where he focused on emerging corporate strategies and intellectual property. As an attorney, Dan represented start-ups, cloud computing ventures, early stage startups as they sought funding. Dan is a co-author of Augmented Intelligence: The Business Power of Human-Machine Collaboration (CRC Press, 2020), Cloud for Dummies (John Wiley & Sons 2020), and Hybrid Cloud for Dummies (John Wiley & Sons, 2012).

dan-kirsch has 2 posts and counting.See all posts by dan-kirsch

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)