What Does Mature Cloud Security Look Like?

According to research from ESG’s Cloud-Native Security Maturity e-book, enabling DevSecOps is critical to a successful cloud-native journey.

June 20, 2022

5 Min Read


Over the past two years, we’ve seen a rapid acceleration of cloud adoption across a spectrum of organizations. Typical of most technology movements and trends, organizations were more focused on transforming their business with cloud technologies and less concerned with security.

Cybersecurity is a challenging concept for many organizations, since it is a shared responsibility across different teams. Implementing the right security technologies, programs, and processes to mitigate risk is often perceived as a roadblock by development and engineering teams. According to a new study from market research firm ESG, the opposite has proven to be true. In fact, integrated cloud-native security programs actually help organizations drive software development efficiencies and exceed revenue goals.

Cloud-Native Adoption Is the New Normal

In our 2021 e-book: The Evolution of Cloud Native Security, 88% of respondents said they believed their cybersecurity program would need to evolve to secure their cloud-native applications and use of public cloud infrastructure. This data reveals that cloud-native adoption is driving the need for mature security programs in places to help organizations move safely. Businesses looking to secure their journey to cloud need comprehensive cloud security tools and programs in place that can be used for all their cloud-native projects.

To learn more, we partnered with ESG to survey 1,000 cybersecurity professionals to uncover the maturity of their security programs and any measurable benefits.

Characteristics of Mature Cloud-Native Security Programs

Eighty-three percent of ESG’s respondents said they have at least several internally developed cloud-native applications pushed to production. In addition, a lot of these applications in the cloud are business-critical applications. What’s more interesting is that the research revealed that mature organizations plan to quadruple their number of cloud-native business-critical applications over the next 12 months.

Meeting the demands of dynamic environments and faster software development cycles for cloud-native applications brings new security challenges. How do you know if your organization has the proper technologies and processes in place to secure its cloud native environment?

To answer these questions, ESG wanted to learn how organizations secured applications and underlying platforms, which tools they use, and how they bring systems and processes into organizational alignment. Then, we benchmarked their development processes and security program maturity.

Among other findings, ESG’s Cloud-Native Security Maturity e-book reveals that organizations with mature security programs do the following:

  • Develop code with security in mind

In addition to helping developers address security issues, security program maturity contributes to greater efficiency across the software development lifecycle.

Organizations that considered themselves to have a mature cloud security program were 4.2X more likely to see security teams as business enablers. According to ESG, developers are motivated to incorporate security in ways that can scale with rapid development. Key drivers, including securing sensitive cloud-resident data (54%), establishing a proactive cybersecurity posture (52%), and keeping pace with CI/CD development (50%), were cited by respondents as reasons for incorporating security into the DevOps process.

  • Respond to vulnerabilities faster

There is no debating this point -- the impact from a breach is always more damaging than the effort involved in getting security right the first time around. Among the most mature organizations, 75%+ scan code at each stage of the lifecycle and they can respond to vulnerabilities 28% faster than average respondents. Ultimately, what this means is that there is no “security phase” to their development process but rather, a set of best practices and tools that should be included within the existing phases of the software development lifecycle. From looping in stakeholders on the security team to using automated tools and promoting education, treating security as an evolution of the process and not just another item to check off the to-do list is a sign of true cloud security maturation.

  • Experience fewer security incidents

Accenture's State of Cybersecurity Resilience 2021 report says attacks per company increased from 206 to 270 year over year. Furthermore, a WhiteHat Security report found the average time to fix critical security vulnerabilities was 205 days. This lengthy delay in containing breaches is extremely costly. While organizations with the most mature security programs have embedded preventative measures into their processes, such as continuously scanning code, less advanced organizations experience 31% more security incidents.

  • Exceed revenue goals by 55%

Fewer incidents, better products and less friction between teams are all critical outcomes, but let’s not kid ourselves -- the most important statistic exists at the bottom line. Security program maturity correlates to operational excellence and enables more functionality and on-time product delivery, proving that mature security programs empower organizations to beat the competition.

Conclusion: Embed Security Across the Application Lifecycle

ESG’s findings showed that today’s business success depends on leveraging technology to deliver products and services efficiently. As businesses leverage cloud technologies, security is essential to protect valuable company and customer data. Thus, stronger security programs also contribute to better business outcomes.

Security is a moving target, which means even the most mature programs demand constant improvement. But the best security practices go beyond tooling -- by focusing on proactive collaboration, transparency, and shared responsibility, it’s clear that enabling DevSecOps by aligning development and security processes is critical for a successful cloud-native journey.

Read the e-book to find out which traits make up these groups and how they operate. The analysis shows clear connections between mature security programs and organizational outcomes.


Mohit Bhasin is a product marketer for Prisma Cloud at Palo Alto Networks. With a background in Computer Engineering and a master’s in business administration, he has a passion for understanding and solving customer problems.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights