Published March 2025

Executive summary

CISOs and CIOs are prioritizing cloud infrastructure security, internal cybersecurity talent, and the ethical control of data in 2025. The threat environment continues to change, with AI-driven cyberthreats escalating the potential damages on the offensive side in parallel with tightening cybersecurity insurance requirements forcing a recalibration of the defensive side.

More organizations are experiencing a higher number of cybersecurity incidents each year, which drives the need to re-assess the efficacy of current posture against the organization’s desired standard of performance. Having done so, the CISOs and CIOs in this research are investing in protections to shore up the critical areas above. In addition to the overall prioritization of cybersecurity areas, we offer a more nuanced analysis of CISO and CIO priorities within the areas of applications, cloud platforms and services, identities, and data.

Request a copy

Published November 2023

Executive summary

The “great cloud migration” is looking different than how it was originally touted, with few organizations hosting all their applications exclusively on public cloud platforms. Almost all operate a hybrid infrastructure mixing public cloud, private cloud, and on-premises environments. While that mix continues to change and morph—a dynamic that raises security concerns by itself—security threats against applications are increasing in frequency and severity. Compounding these threats is alarmingly low organizational preparedness for multi-cloud security, poor visibility into security weaknesses of their own APIs (as well as third-party APIs and code), and insufficient protections against application DDoS attacks.

See also:

• Radware’s blog post on the new report
• Webinar to discuss the findings of the report (North America option, EMEA and Asia Pacific option)

Published August 2023

Executive summary

Change is inevitable, as the saying goes. And, nowhere are the effects of rapid change more apparent than in today’s multi-cloud computing environments.

Organizations are constantly adopting new tools and technologies, including multiple cloud platforms, to stay competitive, agile, and secure. The findings of this year’s State of Multi-Cloud Identity Report build on the reports from 2021 and 2022 to show how organizations are thinking about identity services and technologies is shifting in response to external and internal forces.

What hasn’t wavered in the past three years is the increasing prevalence of multi- cloud in the enterprise and the resulting identity fragmentation that leads to security and operational risk.

Identity is a fundamental component of enterprise security. It relies on uniquely differentiating one user from another, granting the correct level of access for policies for each employee, customer, and partner. Getting identity and access policies wrong can result in the costly loss of customer confidence, data breaches, and regulatory compliance issues.

However, getting identity and access policies right is not easy. Many organizations face challenges in driving identity modernization — often tied to attempts to hire unicorn identity professionals who can handle the complexity and diversity of multiple identity platforms and services. But finding such talent is difficult, if not impossible. The skills or talent gap has delayed identity modernization projects, undermined internal capabilities, and driven away customers and revenue.

The solution to these challenges lies in the orchestration of an identity fabric. By harmonizing identity and access policies, Identity Orchestration enables organizations to manage multiple identity providers to dynamically secure applications across multiple cloud platforms and integrate new identity services seamlessly.

The benefits of an orchestrated identity fabric are manifold. It facilitates organizational digital transformations, and the modernization of on-premises applications with modern authentication capabilities while ensuring the decommissioning of legacy identity infrastructure does not compromise critical business processes or undermine security.

Sponsored by BlackFog, Cerby, OpenText Cybersecurity, Quest, and SonicWall

Executive summary

CISOs and CIOs view cybersecurity as a significantly higher priority than two years ago and are investing in multiple areas to meet escalating regulatory demands, protect new digital channels, and counteract ongoing cyber incidents. Improving protections for cloud services and platforms is the top-rated priority (attacks against cloud services were the most-seen incident type during the past year), followed by protections against ransomware attacks. CISOs and CIOs see a range of issues within apps, cloud platforms, data, and on-premises infrastructure requiring ongoing and higher investment in 2023. They are budgeting accordingly.

The data presented in this white paper is from a survey of CISO and CIO respondents at 284 organizations in the United States with more than 1,000 employees. 

Request a Copy

Published February 2023

Executive summary

Organizations are increasingly relying on SaaS applications for managing critical business data and running core processes. These services contain a wealth of intellectual property, workforce identities and access permissions, collaboration and supply chain networks, details on customer opportunities and projects, and proprietary code. Still, organizations seem to lack visibility and security controls necessary to stop unauthorized access to these SaaS applications, govern privileged access, and ensure continual alignment of configuration settings with regulatory standards and internal frameworks.

In this survey commissioned by Obsidian Security, learn more about the tools, processes, and frameworks security leaders have implemented to address these vulnerabilities. See which capabilities they feel strongly about, which need improvement, and the areas where they entirely lack visibility.

Key takeaways from this survey include:

• One-third more types of security incidents when manual processes are used
• Lack of visibility into basic security controls is four times more of a problem with manual processes
• Few organizations can identify a breach or exposure within minutes
• Half of organizations can’t control privileged access rights
• Organizations spend too long reviewing security controls in SaaS apps
• Investigate SaaS Security Posture Management (SSPM) solutions
  

Published November 2022

Executive summary

The past few years have necessitated the rapid adoption of new workplace technologies, like cloud collaboration apps and services alongside email. 

This shift has benefited employee productivity and external collaboration as organizations across the world embrace new work patterns. 

However, threat actors have also caught on to this growing trend, extending their attack techniques to these new apps and services, and consequently continuing to threaten employees accessing web-based applications and email.

In this report, we present new findings that explore the changing threat landscape for email, web, and cloud apps, and what organizations must do to bolster security protections for these channels. 

Read this report to learn more about:

• Organizations adopting new channels alongside email
• Threat actors have been quick to attack these new channels
• Security incidents lead to costly and time-consuming incident response
• Threats are expected to increase in frequency and sophistication
• All organizations are deploying new solutions to mitigate changing threats

Published September 2022

Executive summary

Organizations are no longer moving to the cloud; they are already there. The research shows that only a negligible percentage of organizations, less than 0.5%, do not deploy applications in the public cloud at all. However, organizations are increasingly shifting into the next iteration of the cloud movement: the multi-cloud. The research shows that 95% of the organizations use at least two types of infrastructure, and nearly half of the organizations deploy applications on four or more different platforms. As a result, deploying applications across multi-cloud and hybrid cloud environments has become the new normal.

The growing number and diversity of environments for hosting applications raises the bar on what is required from security tools, with consistency in security policy and cross-environment visibility key requirements. Many organizations are struggling to achieve high-quality protection and centralized, cross-cloud visibility, and 69% of organizations can trace data breaches or data exposures to inconsistent application security configurations across the different public cloud platforms that they currently use. The trust in native public cloud security capabilities is declining, and more than half of the organizations cannot trust their security staff to configure and maintain a strong application security posture, across the public cloud platforms that they currently use for hosting applications.

Commissioned by Ermetic

Executive summary

Osterman Research surveyed over 300 organizations in North America with 500 or more employees and who spend a minimum of $1 million or more each year on cloud infrastructure to find out how they assess their own cloud security maturity. 

The goal was to establish an industry baseline against the Ermetic Cloud Security Model, which was designed by Ermetic to provide a lightweight framework for determining an organization’s maturity level across multiple domains and developing a specific, actionable roadmap for advancing their capabilities. 

Key takeaways:

• 84% of organizations are at only an entry level (level one or two) with their cloud security capabilities
• 42% of companies spending 50 hours/week or more on cloud security are achieving the top maturity levels (level three or four)
• 80% of companies reported they lack a dedicated security team responsible for protecting cloud resources from threats
• Organizations with certain security priorities reported higher levels of cloud security maturity

Published May 2022

Executive summary

Enterprises have accelerated their move to multiple cloud platforms over the past 12 months and intend to keep pushing in this direction. An increasing share of app workloads are hosted across multiple cloud platforms, but with only a minority of enterprises planning on giving up on-premises approaches entirely, most enterprises face the combination of hybrid and multi-cloud in perpetuity.

Successfully achieving the promise of a combined hybrid and multi-cloud future can only be gained if enterprises address their technical debt and outdated IAM (identity and access management) practices. Distributed identities across scattered identity silos result in inconsistent identity and access policies when people are accessing apps. Poor visibility of existing access policies means enterprises are flying blind—they do not know where apps are hosted, nor who has access to their data.

Current identity standards and technologies for multi-cloud policy management are failing to live up to the actual demands of multi-cloud, and enterprises are having to hire expensive identity architects to fill the gap. Nevertheless, data breaches continue, the identity threat looms large, and more strategic identity and IT modernization initiatives remain unaddressed.

Modernizing identity and access management is a strategic imperative for enterprises with hybrid and multi-cloud strategies. Consistent policies irrespective of where app workloads are deployed are essential; relying on identity architects to manually stitch these together is not a sustainable approach. A new category of software—Identity Orchestration—offers a better solution: a distributed abstraction layer that integrates multi-cloud and hybrid identity infrastructures and allows fine-grained enforcement of consistent identity and access policies. Identity Orchestration supports security modernization through Zero Trust approaches, and also gives enterprises the ability to achieve consistent Policy Orchestration between cloud platforms and across the tech stack.

Published November 2021

Executive summary

Zero trust offers a modern approach for security to meet modern work designs and tackle the cybersecurity challenges facing organizations. The rise in remote work, the relentless waves of ransomware and other cybersecurity attacks, and the need to redress fundamental weaknesses in perimeter-based security have coalesced to drive interest and uptake in zero trust architectures. First touted in 2004, organizations are progressing with zero trust designs to increase the efficacy of cybersecurity protections and build a stronger foundation to address the new challenges of hybrid work, data protection, and security. Organizations view strengthening identity and access management as the key design modification for zero trust initiatives, and confidential files the most important data source to protect. Most organizations expect to be fully deployed with a zero trust architecture within two years.

This white paper reports on how organizations are deploying and planning to deploy a zero trust architecture. It offers direction to decision-makers and influencers on best practices and solutions to support the move to zero trust.

Request a copy