New ESG survey reveals key CSPM and CIEM trends

Abstract architectural photo shot from the ground. Features a lot of modern windows and steel.

As more organizations embrace digital transformation strategies and shift to cloud-native solutions, they enjoy benefits ranging from productivity gains to financial savings.

However, the fast-paced, ever-changing nature of the cloud brings a variety of new challenges for security teams. While organizations are eager to speed software delivery and better serve employees, partners, and customers by capitalizing on new cloud technologies, security teams struggle to keep pace and mitigate risk within these new and complex environments. Top challenges include limited visibility into public cloud infrastructure, outdated manual security practices, and overly permissive accounts — not to mention an industry-wide skills shortage.

But where there are problems, there are also solutions! An increasingly popular approach involves protecting applications with cloud security posture management (CSPM) and/or cloud infrastructure entitlement management (CIEM). By identifying risks early in the software lifecycle, CSPM and CIEM — each a component of a cloud-native application protection platform (CNAPP) — can help teams minimize security risk, achieve continuous compliance, and dramatically reduce the cost and complexity of protecting cloud workloads.

To give you the latest insights into how businesses are harnessing CSPM and CIEM to meet cloud challenges, we’re excited to share a report showcasing the latest research from Enterprise Strategy Group (ESG): Cloud Entitlements and Posture Management Trends.

ESG’s methodology

In their quest to determine how organizations are choosing and implementing CSPM and CIEM solutions, ESG surveyed 383 IT and cybersecurity decision makers responsible for evaluating or purchasing cloud security technology products and services at midmarket (100 to 999 employees) and enterprise (1,000 or more employees) organizations in the United States and Canada. Their research delves into the challenges that lead organizations to adopt these solutions, as well as major considerations and requirements in the purchasing process.

Here are a few key takeaways:

  • 73% of respondents agree or strongly agree that the use of multiple public clouds makes it challenging to maintain consistent security posture across environments

  • 99% of organizations say compromised cloud credentials played a central or modest role in exposing their cloud environment

  • 85% of respondents expect CNAPP to provide more efficient cloud security risk mitigation by consolidating functions like CIEM, CSPM, and others

Evolving responsibilities for cybersecurity

In addition to the takeaways above, a good portion of the report focuses on organizational responsibility. As unprecedented data growth forces companies around the world to reconsider their data storage infrastructure, they begin to forgo legacy architecture and shuffle to cloud platforms. But while migrating their data from one place to another, they tend to overlook the most important aspect of data management: security. Who is responsible for maintaining this security posture and defining the roles, access, permissions, and entitlements?

Not surprisingly, cybersecurity, application developers, and IT ops are the most commonly identified groups when it comes to cybersecurity controls. However, more surprising is the fact that — even in 2023 — some cloud-native organizations don’t have a dedicated cybersecurity team.

But it’s not all bad news. This security expertise shortage has led to other groups taking a more active role in terms of implementation and day-to-day management of cybersecurity controls. In turn, this has actually brought about opportunities for better collaboration and visibility, as well as helping organizations more clearly define roles and policies to streamline efforts and reduce duplication of efforts.

Cloud growth creates new growing pains

The report also explores the challenges of securing the ever-expanding attack surface of cloud applications. The majority of organizations lack the budget, people, and/or security skills to address this issue, while current cloud security offerings fall short because they were never built or optimized for the cloud.

The need for cloud-native solutions has grown substantially. As production workloads in public clouds are expected to double in the next two years, organizations need a better way to manage access and ensure consistency of processes and controls for applications across their data center and public cloud environments. Overly permissive service and user accounts continue to plague security professionals and expose organizations to possible attacks. Outdated, manual security practices can’t scale for the cloud, and lead to security being labeled as a blocker to innovation.

ESG found that the vast majority of public cloud infrastructure users are deploying their applications across multiple cloud service providers (CSPs) — often upwards of three (or more!). As organizations embrace a multicloud strategy, the aforementioned short-staffed security teams are now responsible for managing security risk for applications across multiple cloud environments, which is an onerous task. As cloud-native applications increase, the ability to integrate security controls into these tools must take priority during the software development lifecycle.

Fortifying cloud security at scale

The ESG study found an increasing synergy between CSPM and CIEM — two foundational components of the emerging CNAPP category. Through a platform approach like CNAPP, organizations are hoping to gain operational efficiencies by integrating existing processes, reducing the number of disparate tools, and making better use of the available data.

Speaking of process integration, according to ESG, more than half of organizations have taken steps to build security into DevOps processes to some extent, but the cloud will continue to create growing pains if more organizations don’t prioritize DevSecOps and shift security left to secure cloud-native applications. According to ESG’s research, the adoption of DevSecOps practices is on the rise as organizations try to limit exposure of production environments by incorporating security and compliance early into the software development lifecycle (SDLC) and continuous integration and continuous delivery (CI/CD) pipelines.

Organizations can leverage cloud infrastructure entitlement and security posture management solutions to protect applications and reduce security risk while enabling business units to rapidly innovate in the cloud. These solutions are effective at helping detect misconfigurations and enforcing the principle of least privilege to reduce the attack surface and avoid security issues like cryptojacking malware, unauthorized and overprovisioned access, unauthorized use, and ransomware.

Get started

Are you ready to join the 80% of survey respondents that plan to increase their investments in CSPM in the next 12 months? You’ll want to dig into ESG’s research to gain valuable insights into the top trends and requirements for companies considering CSPM and CIEM  solutions. Learn more when you download the full report today.


Suggested for you