The report, released Wednesday, was based on 300 responses from IT decision-makers, and found 86% of respondents were exploring ways to automate access controls — especially for privileged access. Even with 68% of respondents experiencing increases in budgets and staff, they continue to face mounting threats from an expanding threat landscape that causes challenges for their teams.
Other important findings from the study include:
- 71% are confident they can recover quickly from a cyberattack.
- 69% think their current privileged access approach is either very mature or mature.
- 89% monitor and can alert on unauthorized privileged activity.
“This report presents a conundrum, as respondents feel confident in their current cybersecurity postures, despite a significant amount of breaches being caused by compromised credentials, said Joseph Carson, chief security scientist and Advisory CISO at Delinea. “Yet they also realize that the way to secure the future of their organizations is through cloud automation, which for most presents a dynamic shift in approach, investments, and resources."
The Delinea research noted that as the cloud environment grows and becomes more complex, security teams are challenged to keep up with the pace of that growth and complexity, said Avishai Avivi, CISO at SafeBreach. Avivi agreed with the notion that faced with this complexity, security teams should look to future-proof technology.
“The research also suggests that today's security technology would not keep pace with the complex cloud environment already in place,” Avivi said. “We agree with this recommendation, and fully support the need to leverage technology that scales with the cloud and allows businesses to test their security posture, even with this rapidly evolving cloud environment.”
Charles "Chuck" Everette, director of cybersecurity advocacy at Deep Instinct, added that while the idea of cloud automation is not new, it’s difficult to implement and enforce because of the multi-cloud and hybrid IT environments. Everette said these automation tools need to have access to all environments, but the question is who validates that the tools themselves are secure and have not been manipulated or breached themselves.
“Too many times organizations put these types of controls in place and assume that they will work indefinitely,” Everette said. “It’s critical that we are never complacent with security, we need constant monitoring, auditing and validation.”
Jasmine Henry, field security director at JupiterOne, said the 69% of Delinea respondents who feel they have either very mature or mature privileged access management approach could represent an overestimation of maturity among respondents.
“Security automation is needed at every stage of the asset lifecycle, from asset creation to destruction,” Henry said. “Security teams need automation to identify new assets and map asset relationships to understand how real-time changes impact risk. Security teams also need to embed automated security into the DevOps pipeline, so it's easy for product engineers to set secure parameters for assets at the time of creation, such as encryption by default or data classification.”