Security Budgeting Considerations for Containers
When it comes to managing SecOps, you must consider all the risks at hand, as well as how you can address them. Many of today’s SecOps teams are using containers for development, but this also opens organizations up to a variety of new risk factors.
To mitigate these risk factors, organizations need to ramp up their security budgets. After all, it’s expensive to hire the best SecOps professionals and purchase best-in-class tools to manage cybersecurity.
We recently published The State of Security Budgeting in 2018, which details the results from a survey of 300 technical, operations, compliance, and security professionals in North America, across a variety of industries. Of the organizations that responded, 37% had cloud infrastructure workloads that were container-based. The survey results point to many important budgetary considerations, particularly when it comes to containers. Here’s what you need to know.
Overall Security Budgets Are Increasing
Currently, the average security technology budget of respondents’ organizations is $651,260.
Encouragingly, given (and perhaps in response to) the challenges faced, security technology budgets are expected to grow in two years to an average of $773,412 (representing a 19% increase over time). Organizations using containers operated under a slightly higher average budget of $688,134, which is expected to increase to $797,379 in the next two years.
It’s a promising sign that security budgets are on the rise, and that cloud workload security is the top budget priority among organizations that are using containers now and that will be using them in the next two years. In fact, 56% of these organizations agreed that even more spending is needed on cloud workload security, roughly in line with the average response. This budget prioritization is aligned with the threat risks, as attackers often look to exploit container infrastructure misconfigurations to gain access to sensitive corporate information.
One other thing was clear among all respondents: Organizations need more budget to hire security team talent. Among organizations using containers, 71% agreed that they need more staff capable of managing security products. Often a lack of experience increases security risks to organizations that are looking to quickly adopt containers, leaving a greater margin of error for attackers to exploit.
Development Teams Add Security Risks — More So If They Use Containers
Perhaps organizations are aware of their own lack of experience with containers since 92% of survey respondents using containers believe their development teams are putting their organization at risk.
These respondents are more likely to report an array of concerns, such as developers requiring access to sensitive corporate information (52% containers vs. 42% overall average) or businesses placing more importance on releasing applications that work rather than applications that are secure (43% vs. 24%).
What’s more, 80% of organizations using containers agreed that their security teams were under pressure to keep pace with development and operations, yet almost two-thirds (63%) believe that security teams can sometimes slow down the speed of their business.
This data points to environments where security, development, and operations teams are not working together as effectively as they could be, for the greater good of the business. It also suggests that security teams are not aligned with development teams, suggesting that the two need to come together to ensure that threats are proactively mitigated.
The Threats for Organizations Using Containers
The majority of practitioners in the trenches using containers (58%) reported that cloud infrastructure security was their greatest concern, followed by phishing attacks (40%), while their organization as a whole was most concerned about data breaches impacting intellectual property (51%) and breaches impacting customer PII (42%). This data shows that organizations have a more reactive mindset about security as a whole, focused on the end (breaches) rather than the means (their cause).
In other words, if organizations paid more attention to the concerns of day-to-day practitioners and implemented proactive security measures, their organizations’ infrastructure misconfigurations and vulnerabilities might be quickly addressed, decreasing their overall risk of breach. The good news is, the majority of container security budgets are going toward cloud workload security, which suggests that spending is properly aligned with the risks that practitioners see every day.
A Few Last Words…
Organizations have eagerly embraced containers because of their numerous benefits. Even so, containers introduce new threats that need to be addressed. In organizations where containers are used, security teams are even more concerned about risks, and are investing heavily in cloud infrastructure security.
Even if your team hasn’t jumped on the container bandwagon quite yet, check out the full survey report to see how your security budgeting stacks up in comparison to other professionals across company sizes and industries. And if you would like to benchmark your organization’s cloud infrastructure security practices, feel free to take our Cloud SecOps Maturity Assessment.
*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Dan Kirsch. Read the original post at: https://www.threatstack.com/blog/security-budgeting-considerations-for-containers