2021 Year in Review: An interactive report of annual research findings

Overview

What follows are highlights from four primary research studies Security Compass commissioned in 2021 on topics in Cybersecurity, covering DevSecOps, Cloud Adoption, Threat Modeling, and the US DoD. The research was conducted independently by Golfdale Consulting, Inc.

Balancing Security and Speed

In 2021, there was a rapid acceleration of Infrastructure as a Service (IaaS) cloud-based software development. Cloud development helped to address increased demand for faster, more scalable creation and deployment of software applications. However, accelerated software development came with an increasing number of hostile attacks.

Is it possible to improve time to market on new software builds while improving security from the start?

This becomes possible through a Balanced Development Automation (BDA)  approach. Many companies are implementing DevSecOps, an approach that literally puts security as a center point integrated into software development and operations /deployment. With this approach, rapid development can be balanced with security in creating new software products.

Not surprisingly, the majority of large enterprises developing software in the US and the UK are taking this approach.

bar chart comparing DevSecOps implementation in the US and UK. The US data includes: No Plans to implement (1%), Planning to implement (5%), Implemented in a minority of apps (16%), Implemented in the majority of apps (77%).

Overcoming Time to Market Issues

Even with these advances, technology executives and practitioners, along with their counterparts in risk and compliance, show a great deal of concern over time to market issues.

An image showing 80% of respondents agreeing or strongly agreeing that security and compliance issues slow down their time to market.

Surveying senior execs and practitioners quantified what we hear from many in the industry — 75% believe that manual processes for security and compliance hamper the ability to get new products to market.

A chart indicating the extent to which manual security and compliance processes slow code releases: A lot (37%), A moderate amount (38%), A little (18%), None (7%).

While speed to market is a great concern, it is clear that for the majority, balance is achieved by first ensuring there is improvement in security, quality and resilience.

A bar chart showing the drivers of DevSecOps: Improve security, quality, and/or compliance (54%), Bring technology to market faster (30%), Reduce organizational silos (10%), Reduce cost (6%).

Heading into 2022, executives in companies producing software are in near unanimous agreement, automation of proactive security and compliance is of great importance.

 

An image showing that 96% of respondents consider automating proactive security and compliance as a high or medium priority.

Accelerated Cloud Development and Risk

Cloud usage among enterprises continues its upward trends, outpacing fast-growth expectations of only just a few years ago. In 2018, a well-researched forecast was that by 2021, 35% of all enterprise workloads would be in public cloud applications; today, it globally stands at 50%, with expectations of an additional 7 percentage point gain in the next year. Security concerns have been a major impetus for this growth, with increasing needs for organizations to adjust their security posture to both keep attackers out (cybersecurity) and to minimize the damage caused once they are in (cyber resilience).

Our research among large enterprises that build cloud based applications confirmed these trends.

A bar chart indicating the priority of cloud adoption: Top priority (83%), It is one of the things we are working on (17%), We will not be working on it (0%).

Driving this adoption has been the global push to enable remote work environments, especially among the largest ($5B+) companies.

 

A chart showing what drives cloud adoption in app development: Enabling a Remote Workforce (Top Rank 46%, 2nd Rank 24%, 3rd Rank 29%), Bringing Technology to Market Faster (Top Rank 35%, 2nd Rank 33%, 3rd Rank 32%), Increasing Agility (Top Rank 32%, 2nd Rank 37%, 3rd Rank 31%).

 

Physician, heal thyself. Almost 100% of executives and practitioners alike believe automated security and compliance processes are core to the solution.

 

A chart showing interest in solutions that automate proactive security and compliance processes: Strongly agree (70%), Agree (27%), Neither agree nor disagree (3%).

Proactive Security and Compliance

Among enterprises building cloud-based applications, proactive security and compliance processes are being undertaken. Most often, this approach is undertaken for risk assessments; least often for threat modeling. What is clear, the more apps that are developed in the Cloud, the greater the need for proactive security and compliance processes.

 

A chart showing the proactive security and/or compliance processes undertaken by organizations, broken out by the percentage of apps developed in the cloud: Risk assessments (72%), Secure coding guidelines (66%), Compliance by design (57%), Privacy by design (57%), Developer training (48%), Threat modeling (39%).

Threat Modeling = Greatest Opportunity

Despite less than half of enterprises undertaking threat modeling, we believe it is a core proactive cybersecurity practice that ensures applications can withstand future attacks. Among medium and large sized enterprises that do threat modeling, just over half in the US do so every release, a percentage that grows to three quarters in the UK.

 

A chart indicating the frequency of threat modeling: We typically do threat modeling every release, We typically do threat modeling only once, We typically do threat modeling every year.

From the onset of the software development lifecycle, it is critically important to anticipate where attacks are likely to come from and to implement controls to mitigate risk from these threats.

While more extensive threat modeling coverage is desired, internal challenges in doing so are numerous.

An image showing various internal threat modeling challenges faced by organizations: Difficulty automating the integration with other technologies (56%), Too time-consuming (41%), Too manual (37%), Lack of consistency (43%), Lack of skilled resources (20%), Not high enough of a priority (18%).

Across industries involved in software application development, the majority also do not start soon enough, during the requirements gathering and design stages.

A bar chart indicating the stages of the SDLC where threat modeling is typically performed: Requirements gathering (6%), Design (19%), Development (51%), Testing (16%), Deployment (6%), Maintenance (2%).

Increased threats to Government

Increasingly, governments are seeing the need to begin security sooner in the software development process. Termed “shift left”, this approach sits as one of the top priorities of US government agencies, particularly at the Federal level and especially among agencies that develop their own custom software.

A chart illustrating the priority levels of shifting security left among organizations: Not a priority (3% overall, 1% custom software), Very low priority (10% overall, 6% custom software), One of our top 10 priorities (33% overall, 31% custom software), One of our top 3 priorities (28% overall, 27% custom software), Top priority (26% overall, 34% custom software).

The acceleration of cyber attacks in 2021, including governments and public utilities, has led to a need for an increased complexity of government defense. Indeed, in May of 2021 the US President signed an Executive Order on Improving the Nation’s Cybersecurity.

Challenges remain, however, in particular with obtaining adequate budgets to fully implement proactive security.

 

A bar chart detailing the challenges faced in implementing DevSecOps: Budget constraints (57%), Managing legal, regulatory & compliance controls (35%), Inadequate skill-sets (lack of training) (34%), Challenges with ATO process/speed (31%), Lack of organizational agility (31%), Securing DevSecOps Infrastructure & Pipeline (27%).