Global adoption of data and privacy programs still maturing

The importance of privacy and data protection is a critical issue for organizations as it transcends beyond legal departments to the forefront of an organization’s strategic priorities.

adoption privacy programs

A FairWarning research, based on survey results from more than 550 global privacy and data protection, IT, and compliance professionals outlines the characteristics and behaviors of advanced privacy and data protection teams.

By examining the trends of privacy adoption and maturity across industries, the research uncovers adjustments that security and privacy leaders need to make to better protect their organization’s data.

The prevalence of data and privacy attacks

Insights from the research reinforce the importance of privacy and data protection as 67% of responding organizations documented at least one privacy incident within the past three years, and over 24% of those experienced 30 or more.

Additionally, 50% of all respondents reported at least one data breach in the last three years, with 10% reporting 30 or more.

Overall immaturity of privacy programs

Despite increased regulations, breaches and privacy incidents, organizations have not rapidly accelerated the advancement of their privacy programs as 44% responded they are in the early stages of adoption and 28% are in middle stages.

Healthcare and software rise to the top

Despite an overall lack of maturity across industries, healthcare and software organizations reflect more maturity in their privacy programs, as compared to insurance, banking, government, consulting services, education institutions and academia.

Harnessing the power of data and privacy programs

Respondents understand the significant benefits of a mature privacy program as organizations experience greater gains across every area measured including: increased employee privacy awareness, mitigating data breaches, greater consumer trust, reduced privacy complaints, quality and innovation, competitive advantage, and operational efficiency.

Of note, more mature companies believe they experience the largest gain in reducing privacy complaints (30.3% higher than early stage respondents).

Attributes and habits of mature privacy and data protection programs

Companies with more mature privacy programs are more likely to have C-Suite privacy and security roles within their organization than those in the mid- to early-stages of privacy program development.

Additionally, 88.2% of advanced stage organizations know where most or all of their personally identifiable information/personal health information is located, compared to 69.5% of early stage respondents.

Importance of automated tools to monitor user activity

Insights reveal a clear distinction between the maturity levels of privacy programs and related benefits of automated tools as 54% of respondents with more mature programs have implemented this type of technology compared with only 28.1% in early stage development.

Automated tools enable organizations to monitor all user activity in applications and efficiently identify anomalous activity that signals a breach or privacy violation.

“This research revealed a major gap between mature and early stage privacy programs and the benefits they receive,” said Ed Holmes, CEO, FairWarning.

“It is exciting to see healthcare at the top when it comes to privacy maturity. However, as we dig deeper into the data, we find that 37% of respondents with 30 or more breaches are from healthcare, indicating that there is still more work to be done.

“This study highlights useful guidance on steps all organizations can take regardless of industry or size to advance their program and ensure they are at the forefront of privacy and data protection.”

“In today’s fast-paced and increasingly digitized world, organizations regardless of size or industry, need to prioritize data and privacy protection,” said IAPP President & CEO J. Trevor Hughes.

“As the research has demonstrated, it is imperative that security and privacy professionals recognize the importance of implementing privacy and data protection programs to not only reduce privacy complaints and data breaches, but increase operational efficiency.”

Most cybersecurity pros believe automation will make their jobs easier

Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam.

cybersecurity automation jobs

Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% in 2019 to 21% this year.

“The concern for automation among younger professionals in cybersecurity was surprising to us. In trying to understand this sentiment, we could partially attribute it to lack of on-the-job training using automation technology,” said Samantha Humphries, security strategist at Exabeam.

“As we noted earlier this year in our State of the SOC research, ambiguity around career path or lack of understanding about automation can have an impact on job security. It’s also possible that this is a symptom of the current economic climate or a general lack of experience navigating the workforce during a global recession.”

AI and ML: A threat to job security?

Of respondents under the age of 45, 53% agreed or strongly agreed that AI and ML are a threat to their job security. This is contrasted with just 25% of respondents 45 and over who feel the same, possibly indicating that subsets of security professionals in particular prefer to write rules and manually investigate.

Interestingly, when asked directly about automation software, 89% of respondents under 45 years old believed it would improve their jobs, yet 47% are still threatened by its use. This is again in contrast with the 45 and over demographic, where 80% believed automation would simplify their work, and only 22% felt threatened by its use.

Examining the sentiments around automation by region, 47% of US respondents were concerned about job security when automation software is in use, as well as SG (54%), DE (42%), AUS (40%) and UK (33%).

In the survey, which drew insights from professionals throughout the US, the UK, AUS, Canada, India and the Netherlands, only 10% overall believed that AI and automation were a threat to their jobs.

On the flip side, there were noticeable increases in job approval across the board, with an upward trend in satisfaction around role and responsibilities (96%), salary (87%) and work/life balance (77%).

Diversity showing positive signs of improvement

When asked what else they enjoyed about their jobs, respondents listed working in an environment with professional growth (15%) as well as opportunities to challenge oneself (21%) as top motivators.

53% reported jobs that are either stressful or very stressful, which is down from last year (62%). Interestingly, despite being among those that are generally threatened by automation software, 100% of respondents aged 18-24 reported feeling secure in their roles and were happiest with their salaries (93%).

Though the number of female respondents increased this year, it remains to be seen whether this will emerge as a trend. This year’s male respondents (78%) are down 13% from last year (91%).

In 2019, nearly 41% were in the profession for at least 10 years or more. This year, a larger percentage (83%) have 10 years or less, and 34% have been in the cybersecurity industry for five years or less. Additionally, one-third do not have formal cybersecurity degrees.

“There is evidence that automation and AI/ML are being embraced, but this year’s survey exposed fascinating generational differences when it comes to professional openness and using all available tools to do their jobs,” said Phil Routley, senior product marketing manager, APJ, Exabeam.

“And while gender diversity is showing positive signs of improvement, it’s clear we still have a very long way to go in breaking down barriers for female professionals in the security industry.”

Is the skills gap preventing you from executing your enterprise strategy?

As many business leaders look to close the skills gap and cultivate a sustainable workforce amid COVID-19, an IBM Institute for Business Value (IBV) study reveals less than 4 in 10 human resources (HR) executives surveyed report they have the skills needed to achieve their enterprise strategy.

skills gap enterprise

COVID-19 exacerbated the skills gap in the enterprise

Pre-pandemic research in 2018 found as many as 120 million workers surveyed in the world’s 12 largest economies may need to be retrained or reskilled because of AI and automation in the next three years.

That challenge has only been exacerbated in the midst of the COVID-19 pandemic – as many C-suite leaders accelerate digital transformation, they report inadequate skills is one of their biggest hurdles to progress.

Employers should shift to meet new employee expectations

Ongoing consumer research also shows surveyed employees’ expectations for their employers have significantly changed during the COVID-19 pandemic but there’s a disconnect in how effective leaders and employees believe companies have been in addressing these gaps.

74% of executives surveyed believe their employers have been helping them learn the skills needed to work in a new way, compared to just 38% of employees surveyed, and 80% of executives surveyed said their company is supporting employees’ physical and emotional health, but only 46% of employees surveyed agreed.

“Today perhaps more than ever, organizations can either fail or thrive based on their ability to enable the agility and resiliency of their greatest competitive advantage – their people,” said Amy Wright, managing partner, IBM Talent & Transformation.

“Business leaders should shift to meet new employee expectations brought on by the COVID-19 pandemic, such as holistic support for their well-being, development of new skills and a truly personalized employee experiences even while working remotely.

“It’s imperative to bring forward a new era of HR – and those companies that were already on the path are better positioned to succeed amid disruption today and in the future.”

The study includes insights from more than 1,500 global HR executives surveyed in 20 countries and 15 industries. Based on those insights, the study provides a roadmap for the journey to the next era of HR, with practical examples of how HR leaders at surveyed “high-performing companies” – meaning those that outpace all others in profitability, revenue growth and innovation – can reinvent their function to build a more sustainable workforce.

Additional highlights

  • Nearly six in 10 high performing companies surveyed report using AI and analytics to make better decisions about their talent, such as skilling programs and compensation decisions. 41% are leveraging AI to identify skills they’ll need for the future, versus 8% of responding peers.
  • 65% of surveyed high performing companies are looking to AI to identify behavioral skills like growth mindset and creativity for building diverse adaptable teams, compared to 16% of peers.
  • More than two thirds of all respondents said agile practices are essential to the future of HR. However, less than half of HR units in participating organizations have capabilities in design thinking and agile practices.
  • 71% of high performing companies surveyed report they are widely deploying a consistent HR technology architecture, compared to only 11% of others.

“In order to gain long-term business alignment between leaders and employees, this moment requires HR to operate as a strategic advisor – a new role for many HR organizations,” said Josh Bersin, global independent analyst and dean of the Josh Bersin Academy.

“Many HR departments are looking to technology, such as the cloud and analytics, to support a more cohesive and self-service approach to traditional HR responsibilities. Offering employee empowerment through holistic support can drive larger strategic change to the greater business.”

skills gap enterprise

Three core elements to promote lasting change

According to the report, surveyed HR executives from high-performing companies were eight times as likely as their surveyed peers to be driving disruption in their organizations. Among those companies, the following actions are a clear priority:

  • Accelerating the pace of continuous learning and feedback
  • Cultivating empathetic leadership to support employees’ holistic well-being
  • Reinventing their HR function and technology architecture to make more real-time data-driven decisions

Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO.

banking fraud

Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience.

For example, 51 percent of North American banks are still asking customers to prove their identities by visiting branches or posting documents when opening digital accounts. This also applies to 25 percent of mortgages or home loans and 15 percent of credit cards opened digitally.

“The pandemic has forced industries to fully embrace digital. We now are seeing North American banks that relied on face-to-face interactions to prove customers’ identities rethinking how to adapt to the digital first economy,” said Liz Lasher, vice president of portfolio marketing for Fraud at FICO.

“Today’s consumers expect a seamless and secure online experience, and banks need to be equipped to meet those expectations. Engaging valuable new customers, then having them abandon applications when identity proofing becomes expensive and difficult.”

Identity verification process issues

The study found that only up to 16 percent of U.S. and Canadian banks employ the type of fully integrated, real-time digital capture and validation tools required for consumers to securely open a financial account online.

Even when digital methods are used to verify identity, the experience still raises barriers with customers expected to use email or visit an “identity portal” to verify their identities.

Creating a frictionless process is key to meeting consumers current expectation. For example, according to a recent Consumer Digital Banking study, while 75 percent of consumers said they would open a financial account online, 23 percent of prospective customers would abandon the process due to an inconsistent identity verification process.

Lack of automation is a problem for banks too

The lack of automation when verifying customers’ identity isn’t just a pain point for customers – 53 percent of banks reported it problematic for them too.

Regulation intended to prevent criminal activity such as money laundering typically requires banks to review customer identities in a consistent, robust manner and this is harder to achieve for institutions relying on inconsistent manual resources.

Fortunately, 75 percent of banks in the U.S. and Canada reported plans to invest in an identity management platform within the next three years.

By moving to a more integrated and strategic approach to identity proofing and identity authentication, banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.

Compliance activities cost organizations $3.5 million annually

Organizations are struggling to keep up with IT security and privacy compliance regulations, according to a Telos survey.

compliance cost

Annual compliance cost

The survey, which polled 300 IT security professionals in July and August 2020, revealed that, on average, organizations must comply with 13 different IT security and/or privacy regulations and spend $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter.

As more regulations come into existence and more organizations migrate their critical systems, applications and infrastructure to the cloud, the risk of non-compliance and associated impact increases.

Key research findings

  • IT security professionals report receiving an average of over 17 audit evidence requests each quarter and spend an average of three working days responding to a single request
  • Over the last 24 months, organizations have been found non-compliant an average of six times by both internal and third party auditors resulting in an average of eight fines, costing an average of $460,000
  • 86 percent of organizations believe compliance would be an issue when moving systems, applications and infrastructure to the cloud
  • 94 percent of organizations report they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud

Compliance teams are overwhelmed

“Compliance teams spend 232 working days each year responding to audit evidence requests, in addition to the millions of dollars spent on compliance activities and fines,” said Dr. Ed Amoroso, CEO of TAG Cyber. “The bottom line is this level of financial and time commitment is unsustainable in the long run.”

“As hammer, chisel and stone gave way to clipboard, paper and pencil, it’s time for organizations to realize the days of spreadsheets for ‘checkbox compliance’ are woefully outdated,” said Steve Horvath, VP of strategy and cloud at Telos.

Automation can solve numerous compliance challenges, as the data shows. It’s the only real way to get in front of curve, rather than continuing to try and keep up.”

99 percent of survey respondents indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence (54 percent), reduced time spent being audited (51 percent) and the ability to respond to audit evidence requests more quickly (50 percent).

Technologies that enable legal and compliance leaders to spot innovations

COVID-19 has accelerated the push toward digital business transformation for most businesses, and legal and compliance leaders are under pressure to anticipate both the potential improvements and possible risks that come with new legal technology innovations, according to Gartner.

legal technology innovations

Legal technology innovations

To address this challenge, Gartner lists the 31 must watch legal technologies to allow legal and compliance leaders to identify innovations that will allow them to act faster. They can use this information for internal planning and prioritization of emerging innovations.

“Legal and compliance leaders must collaborate with other stakeholders to garner support for organization wide and function wide investments in technology,” said Zack Hutto, director in the Gartner Legal and Compliance practice.

“They must address complex business demand by investing in technologies and practices to better anticipate, identify and manage risks, while seeking out opportunities to contribute to growth.”

Analysts said enterprise legal management (ELM), subject rights requests, predictive analytics, and robotic process automation (RPA) are likely to be most beneficial for the majority of legal and compliance organizations within a few years. They are also likely to help with the increased need for cost optimization and unplanned legal work arising from the pandemic.

Enterprise legal management

This is a multifaceted market where several vendors are trying to consolidate many of the technologies on this year’s Hype Cycle into unified platforms and suites to streamline the many aspects of corporate governance.

“Just as enterprise resource planning (ERP) overhauled finance, there is promise for a foundational system of record to improve in-house legal operations and workflows,” said Mr. Hutto. “Legal leaders should take a lesson from ERP’s evolution: ‘monolithic’ IT systems tend to lack flexibility and can quickly become an anchor not a sail.”

Legal application leaders and general counsel must begin with their desired business outcomes, and only then find a technology that can help deliver those outcomes.

Subject rights requests

The demand for subject rights requests (SRRs) is growing along with the number of regulations that enshrine a data subject’s right to access their data and request amendment or deletion. Current regulations include the CCPA in the U.S., the EU’s GDPR and Brazil’s Lei Geral de Proteção de Dadosis.

Many organizations are funneling their subject access requests (SARs) through internal legal counsel to limit the potential exposure to liability. This is costing, on average, $1,406 per SAR.

“In the face of rising request volumes and significant costs, there is great potential for legal and compliance leaders to make substantial savings and free up time by using technology to automate part, if not most, of the SRR workflow,” said Mr. Hutto.

Predictive analytics

This is a well-established technology and the market is mature, so it can be relatively simple to use “out-of-the-box” or via a cloud service. Typically, the technology can examine data or content to answer the question, ”What is likely to happen if…?”

“Adoption of this technology in legal and compliance is typically less mature than other business functions,” said Mr. Hutto. “This likely means untapped use cases where existing solutions could be used in the legal and compliance context to offer some real benefits.

“While analytics platforms may make data analysis more ‘turnkey’ extracting real insights may be more elusive. Legal and compliance leaders still should consider and improve the usefulness of their data, the capabilities of their teams, and the attainability of data in various existing systems.”

Robotic process automation (RPA)

RPA’s potential to streamline workflows for repetitive, rule-based tasks is already well-established in other business functions. Typically, RPA is best suited to systems with a standardized — often legacy — user interfaces for which scripts can be written.

“Where legal departments already use these types of systems it is likely that RPA can drive higher efficiency,” said Mr. Hutto. “However, not all legal departments use such systems. If not, it could make sense to take a longer view and consider investing in systems that have automation functionality built in.”

Gartner advice is to consider these four technologies is not solely based on their position on the Hype Cycle. Legal and compliance leaders should focus on the technologies that have the most potential for driving the greatest transformation within their own organizations in the near to medium term; the position on the Hype Cycle is part of that but not the whole story.

For example, Mr. Hutto said blockchain is a technology that has the potential to make a successful journey to the Plateau of Productivity within five years. But for now, its application will likely be limited to quite a narrow set of use cases, and it is unlikely to be transformational for corporate legal and compliance leaders.

37% of remote employees have no security restrictions on corporate devices

ManageEngine unveiled findings from a report that analyzes behaviors related to personal and professional online usage patterns.

security restrictions devices

Security restrictions on corporate devices

The report combines a series of surveys conducted among nearly 1,500 employees amid the pandemic as many people were accelerating online usage due to remote work and stay-at-home orders. The findings evaluate users’ web browsing habits, opinions about AI-based recommendations, and experiences with chatbot-based customer service.

“This research illuminates the challenges of unsupervised employee behaviors, and the need for behavioral analytics tools to help ensure business security and productivity,” said Rajesh Ganesan, vice president at ManageEngine.

“While IT teams have played a crucial role in supporting remote work and business continuity during the pandemic, now is an important time to evaluate the long-term effectiveness of current strategies and augment data analytics to IT operations that will help sustain seamless, secure operations.”

Risky online behaviors could compromise corporate data and devices

63% of respondents report that their organization has provided them with a corporate device to utilize while working remotely.

Interestingly, 37% of those respondents also say that there are no security restrictions on these corporate devices. Therefore, risky online activities such as visiting unsecured websites, sharing personal information, and downloading third-party software could pose potential threats.

For example, 54% said they would still visit a website after receiving a warning about potential insecurities. This percentage is also significantly higher among younger generations – including 42% of people 18-24 years and 40% of 25-34 years.

Remote work has its hiccups, but IT teams have been responsive

79% of respondents say they experience at least one technology issue weekly while working from home. The most common issues include slowed functionality and download speeds (40%) and reliable connectivity (25%).

However, IT teams have been committed to solving these challenges. For example, 75% of respondents say it’s been easy to communicate with their IT teams to resolve these issues. Chatbots, AI, and automation are becoming increasingly more effective and trusted.

76% said their experience with chatbot-based support has been “excellent” or “satisfactory,” and 55% said their issue was resolved in a timely manner. As it relates to artificial intelligence, 67% say they trust these solutions to make recommendations for them.

The increasing comfort with automation technologies can help IT teams support both front and back-end business functions, especially during times of increased online activities due to the pandemic.

How important is monitoring in DevOps?

The importance of monitoring is often left out of discussions about DevOps, but a Gartner report shows how it can lead to superior customer experiences.

DevOps monitoring

The report provides the following key recommendations:

  • Work with DevOps teams during the design phase to add the instrumentation necessary to track business key performance indicators and monitor business metrics in production.
  • Automate the transmission of embedded monitoring results between monitoring and deployment tools to improve application deployments.
  • Use identified business requirements to develop a pipeline for delivering new functionality, and develop monitoring to a practice of continuous learning and feedback across stakeholders and product managers.

While the report focuses on application monitoring, the benefits of early DevOps integration apply equally to database monitoring, according to Grant Fritchey, Redgate DevOps Advocate and Microsoft Data Platform MVP: “In any DevOps pipeline, the database is often the pain point because you need to update it alongside the application while keeping data safe. Monitoring helps database developers identify and fix issues earlier, and minimizes errors when changes are deployed.”

Optimizing performance before releases hit production

Giving development teams access to live monitoring data during database development and testing, for example, can help them optimize performance before releases hit production. They can see immediately if their changes influence operational or performance issues, and drill down to the cause.

Similarly, database monitoring tools can be configured to read and report on deployments made to any server and automatically deliver an alert back to the development team if a problem arises, telling them what happened and how to fix the issue.

This continuous feedback loop not only reduces time spent manually checking for problems, but speeds up communication between database development and operational teams. Most importantly, this activity all takes place on non-production environments, meaning fewer bad customer experiences when accessing production data.

This increased focus on monitoring is prompting many high performing DevOps teams to introduce third-party tools which offer more advanced features like the ability to integrate with the most popular deployment, alerting and ticketing tools.

The advantages

A good example is the financial services sector. Redgate’s report revealed that 66% of businesses in the sector now use a third-party monitoring tool, outpacing all other sectors. And while 61% of businesses deploy database changes once a week or more, compared to 43% across other sectors, issues with deployments are detected faster and recovered from sooner.

The Gartner report states: “By enabling faster recognition and response to issues, monitoring improves system reliability and overall agility, which is a primary objective for new DevOps initiatives.”

Many organizations are discovering there are big advantages in including the database in the monitoring conversation as well.

60% of IT pros list improving security as a top priority today

Kaseya announced the results of its sixth annual IT operations benchmark report, consisting of two distinct survey audiences: IT practitioners (the IT managers and technicians working daily with technology) and IT leaders (IT directors and above).

improving security top priority

The study surveyed 878 SMB respondents, 543 of whom were IT practitioners and 335 were IT leaders. The differences in priorities and concerns between the two audiences understandably center around aspects of their roles impacted most by COVID-19: IT leaders are currently more focused on maintaining operations while keeping IT budgets in check, whereas one of IT practitioners’ greatest struggles is maintaining productivity using limited resources.

However, many similarities also emerged for both groups, including an emphasis on IT security, data protection and the interplay between automation and productivity in 2020.

Improving security is a top priority

Although 63% of IT practitioners said they had not experienced a security breach or ransomware attack in the past three years, the increase in cyberattacks during the pandemic has cemented cybersecurity and data protection as a top priority for both groups.

More than half of IT practitioners and 60% of IT leaders listed “improving IT security” as their top priority in 2020, and more than half of respondents from both groups named “cybersecurity and data protection” as their top challenge.

But managing and working with limited budgets makes securing their company during this time difficult for IT teams. Although 73% of IT leaders are optimistic that their IT budgets will remain the same or increase in 2021, nearly one-third are still concerned about having inadequate IT budgets or resources to meet demands — a similar consideration for 32% of practitioners.

As a result of limited budgets, less than a third of practitioners are actually able to patch remote, off-network devices. This potentially exposes the entire company’s networks to higher security risks given the increase in remote workforces using personal devices or connecting to unsecured Wi-Fi connections during the pandemic.

Investing in IT automation improves productivity and reduces costs

In addition to potentially making companies vulnerable to security risks, slashed budgets can also impact an IT team’s productivity. Luckily, both IT practitioners and leaders are on the same page about the solution to this problem in 2020: automation.

IT practitioners who listed “increasing IT productivity through automation” and IT leaders who named “reducing IT costs” are simply pursuing the same goal, since higher productivity ultimately reduces operating costs.

When asked about the technologies IT leaders are planning to invest in for 2021, 60% said “IT automation.” Likewise, 38% of practitioners named “automation of IT processes” as a top use case for their endpoint management solution.

GRC teams have a number of challenges meeting regulatory demands

Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer.

GRC regulatory demands

Results from a global external survey of over 200+ GRC leaders reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.

The results indicate a wider issue with cyber risk management. If GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.

41% of risk leaders feel ‘very confident’ that they can fulfill the security-related requests of a regulator in a timely manner. 27.5% are ‘very satisfied’ that their organization’s security reports align to regulatory compliance needs.

GRC leaders cited their top challenges in fulfilling regulator requests, as:

  • Getting access to accurate data (35%)
  • The number of report requests (29%)
  • The length of time it takes to get information from security team (26%)

The limitations of traditional GRC tools

The issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance. This does not reflect the current challenges from cyber.

92% of senior risk and compliance professionals believe it would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5% believe it’s important to automate security risk and compliance reporting. However, only 11% state that their risk and compliance reporting is currently automated end to end.

96% said it is important to prioritize security risk remediation based on its impact to the business, but most can’t isolate risk to critical business processes composed of people, applications, devices. Only 33.5% of respondents are ‘very confident’ in their ability to understand all the asset inventories.

GRC regulatory demands

Charaka Goonatilake, CTO, Panaseer: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests. These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing.

“The challenge is being exacerbated by new risks introduced by IoT sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”

Andreas Wuchner, Panaseer Advisory Board member: “To face the new reality of cyberthreats and regulatory pressures requires many organizations need to fundamentally rethink traditional tools and defences.

“GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing Continuous Controls Monitoring, an emerging category of security and risk, which has just been recognised in the 2020 Gartner Risk Management Hype Cycle.”

Incident management tools and processes insufficient to enable innovation

Enterprise digital transformation budgets continue to increase despite a recession, developers find it challenging to innovate and standard incident management tools and processes hinder digital service resilience, an xMatters research reveals.

incident management tools

Digital service resilience is the ability to recover quickly, adapt and learn from incidents such as outages and interruptions to prevent future technology and customer-impacting issues.

The report also analyzed the varying degrees of incident management readiness or preparedness within an organization to identify its position in the Incident Management Spectrum.

The research found that comparatively, across the Incident Management Spectrum, only the most advanced organizations have isolated keys to success across business and incident management functions.

“Through a series of research reports over the past year, we studied the growing challenges faced by those tasked with the delivery and maintenance of digital services. Customer-impacting issues continue to be a roadblock to innovation as today’s digital, fast moving environment requires technology teams to spend more time supporting operations,” said Troy McAlpin, CEO at xMatters.

“However, there is an opportunity for technology professionals to evolve incident management approaches through incident response automation, collaboration and constant learning in order to achieve customer delight and further innovation.”

Pandemic forces digital transformation

Spending on digital transformation has increased continually since the November 2019 research. Twenty percent of companies with 1,001-5,000 employees are budgeting more than $10 million on digital transformation initiatives, compared with 9.3% in November 2019.

This focus on digital transformation was accelerated by the COVID-19 pandemic. Findings from the April 2020 Impact of COVID-19 on Digital Transformation survey showed more than half of consumers experienced a rise in application performance issues, forcing many companies to accelerate digital transformation in order to deliver accessible digital experiences for customers and employees.

Customer-impacting issues are a roadblock to innovation

The research found that the proportion of technology professionals affected by customer-impacting issues when building out services has increased by almost ten percentage points to 84.3%, compared to results from the November 2019 Incident Management in the Age of Customer-Centricity research. Overall, there is a marked need for improvement in customer experiences and an organizational commitment to innovation across industries.

72.3% of respondents—across a variety of titles including development, SRE, IT operations and management—reported that at least half of their team’s time is spent resolving incidents compared to time spent on innovation. Of these respondents, 27.3% said at least 80% of their team’s time is spent resolving incidents.

Opportunity for advancement in the Incident Management Spectrum

To assess the efficacy of incident management in organizations, the State of Automation in Incident Management analyzed components of a comprehensive incident management practice (i.e., team structure, tools) and how organizations detect, resolve and learn about incidents.

Responses to survey questions were further analyzed and scored to determine an organization’s position in the Incident Management Spectrum based on approaches to incident management.

The four categories within the Incident Management Spectrum include: ad hoc where there is no formal incident management practice; traditional incident management, an approach driven by service desk tickets and ITIL processes; modern incident management where individual teams detect and resolve service-based issues; and adaptive incident management where a scalable and service-centric model harnesses as much automation as possible.

The results of the research found that almost all respondents employ either a traditional (40.1%) or modern (58.6%) approach to incident management.

“Traditional teams spend much of their time on firefighting and completing non-value-added tasks compared to innovation, while modern teams, who have allocated more budget toward digital transformation, spend equal amounts of time resolving incidents and building out features,” continued McAlpin.

incident management tools

Automation, collaboration and learning are key to superior customer experiences

While most technology professionals reported the implementation of team-oriented incident management processes, there is room for advancement in multiple aspects of day-to-day processes.

43.4% of technology professionals deploy less sophisticated processes such as alerting; emailing and paging; conference bridges; or manual setup and outreach to engage team members, stakeholders and customers during an incident.

Most organizations who employ a traditional approach to incident management use service desks and process-heavy approaches, whereas modern organizations leverage incident management tools for incident response and management.

Moreover, as companies look to reliable digital services as an indicator of customer success, there is an opportunity to automate the postmortem process.

When asked about top benefits of using artificial intelligence or machine learning for incident management, respondents identified informing post-incident reporting with data from previous, related incidents (36%) and aggregation of data to detect anomalies early (28.9%).

CISOs struggling to prep for security audits

Calendars for security and compliance audits are largely unchanged despite COVID-19, yet the pandemic is straining teams as they work remotely, according to Shujinko.

CISOs security audits

Moreover, CISOs are tasked with preparing for more than three audits on average in the next 6-12 months, but struggle with inadequate tools, limited budgets and personnel, and inefficient manual processes.

Furthermore, the results show that migration to the cloud is dramatically increasing the scope and complexity of audit preparation, obsoleting old methods and approaches.

“This survey clearly shows that CISOs at major companies are caught between a rock and hard place when it comes to security and compliance audits over the second half of 2020 and want automated tools to help dig them out. Unfortunately, they’re simply not able to find them,” said Scott Schwan, Shujinko CEO.

“Teams are cobbling together scripts, shared spreadsheets, ticketing systems and a hodgepodge of other applications to try to manage, resulting in inefficiency, lengthy preparation and limited visibility. More than two-thirds of CISOs are looking for something better.”

CISOs preparing for more than three audits

Despite changes in the economic climate due to COVID-19, CISOs are still tasked with preparing for more than three upcoming compliance audits across multiple security frameworks (e.g., PCI, SOC 2, NIST-CSF, ISO 27001, etc.).

Most common audits are for HITRUST, HIPAA and PCI DSS

51% of CISOs surveyed indicated they are preparing for a HITRUST audit in the next six to twelve months, 45% are preparing for HIPAA, 43% for PCI DSS, 41% for CCPA and 36% for an internal audit. In addition, 77% of companies preparing for SOC-2 audits were software companies.

CISOs are worried about doing more with less

COVID-19 has amplified CISOs’ concerns about doing more with less (both people and budget) with both teams and auditors working remotely. Worries over conflicting priorities, draining available resources and ensuring that evidence is complete round out their top five CISO concerns.

CISOs desperately want more automation

72% of security executives say they want to improve the automation of their audit preparation process, and automation was cited as the number one element most CISOs would change if they could. Team communication and collaboration rounded out the top three most desired improvements.

CISOs security audits

Two-thirds of CISOs dislike their current tool set

The survey found that CISOs are currently using a mix of home-grown scripts, spreadsheets, ticketing systems, shared documents, Sharepoint and e-mail to prepare for audits. No CISOs reported having a security audit preparation tool that they are completely satisfied with.

CISOs have poor visibility into the audit process

No CISOs rated visibility into key audit preparation steps a complete success and only one rated it a 4 out of 5 – suggesting poor executive line-of-sight into hitting audit deadlines.

Audit processes don’t fit a cloud development model

Only 1 percent of CISOs said that their audit preparation process completely aligns with the speed and agility that is needed for rapid cloud application development and frequent iteration.

Intelligent processes and tech increase enterprises’ competitiveness

Enterprises of the future will be built on a foundation of artificial intelligence (AI), analytics, machine learning, deep learning and automation, that are central to solving business problems and driving innovation, Wipro finds.

intelligent processes

Most businesses consider AI to be critical to improve operational efficiency, reduce employee time on manual tasks, and enhance the employee and customer experience.

The report examines the current landscape and shows the challenges and the driving factors for businesses to become truly intelligent enterprises. Wipro surveyed 300 respondents in UK and US across key industry sectors like financial services, healthcare, technology, manufacturing, retail and consumer goods.

The report highlights that while collecting data is critical, the ability to combine this with a host of technologies to leverage insights creates an intelligent enterprise. Organizations that fast-track adoption of intelligent processes and technologies stand to gain an immediate competitive advantage over their counterparts.

Key findings

  • While 80% of organizations recognize the importance of being intelligent, only 17% would classify their organizations as an Intelligent Enterprise.
  • 98% of those surveyed believe that being an Intelligent Enterprise yields benefits to organizations. The most important ones being improved customer experience, faster business decisions and increased organizational agility.
  • 91% of organizations feel there are data barriers towards being an Intelligent Enterprise, with security, quality and seamless integration being of utmost concern.
  • 95% of business leaders surveyed see AI as critical to being Intelligent Enterprises, yet, currently, only 17% can leverage AI across the entire organization.
  • 74% of organizations consider investment in technology as the most likely enabler for an Intelligent Enterprise, however 42% of them think that this must be complemented with efforts to re-skill workforce.

Jayant Prabhu, VP & Head – Data, Analytics & AI, Wipro said, “Organizations now need new capabilities to navigate the current challenges. The report amplifies the opportunity to gain a first-mover advantage to being Intelligent.

“The ability to take productive decisions depends on an organization’s ability to generate accurate, fast and actionable intelligence. Successful organizations are those that quickly adapt to the new technology landscape to transform into an Intelligent Enterprise.”

2020 trends in SOX compliance

SOX & Internal Controls Professionals Group released a survey which measures the costs, execution, challenges and priorities faced by companies that comply with the Sarbanes-Oxley Act (SOX).

SOX compliance trends

“In its fifth year, our survey reflects the broad experience of SOX professionals over time and presents a balanced perspective of the current state of SOX and internal controls management,” said Camille Kearns Rudy, National Director of the SOX & Internal Controls (IC) Professionals Group.

“Importantly, the survey confirms that the C-suite views SOX as highly valuable in their organizations. This acknowledgement ensures that SOX will have access to institutional capital needed to thrive and be effective.”

Improving efficiency in the SOX function was the top priority for SOX/IC practitioners in 2020. One-third of respondents reported they spend more than half their time on SOX, and that finding new ways to reduce the complexity of the controls processes and the time spent on manual testing was key.

Many still relying on spreadsheets and desktop publishing tools

Forty-four percent of respondents said they will focus heavily on controls automation, which ushers in the need for intelligent, cloud-based technology.

More than half of the market currently uses a SOX-specific software to execute their SOX compliance program, but one-third still rely on spreadsheets and desktop publishing tools.

While upgrading technology has been a concern, but not a priority in previous years, the high-risk environment created by COVID-19 has sparked a renewed sense of urgency to make changes to existing technologies and processes.

Cybersecurity and IT controls have also historically been among the top three areas of concern for SOX/IC professionals. These too have received increased attention in 2020, as over half of write-in comments highlighted the impacts of remote working and the ability to execute compliance.

RedCommander: Open source tool for red teaming exercises

GuidePoint Security released a new open source tool that enables a red team to easily build out the necessary infrastructure.

open source red team

The RedCommander tool solves a major challenge for red teams around the installation and operationalization of infrastructure by combining automation scripts and other tools into a deployable package.

RedCommander is a series of Ansible Playbooks that automate the tedious tasks required to stand up covert command and control channels during a red team exercise. This open source tool is intended to be a stepping stone for more advanced configurations during red team assessments.

Once an operator spins up several servers and configures redirectors, they can leverage RedCommander to modify and monitor their command and control servers for blue team investigations by way of RedELK. The result provides the operator with a full-spectrum overview of a Red Team exercise while simultaneously centralizing logs for Indicators of Compromise (IOC) analysis.

“Exercising defensive responses is a crucial security practice for any organization,” says Alex Williams, the creator of RedCommander and a senior consultant in the GuidePoint Security Threat & Attack Simulation practice.

“RedCommander makes it easier for red teams to deploy their infrastructure in a more customized fashion, giving them a true infrastructure for success.”

How to drive business value through balanced development automation

Aligning security and delivery at a strategic level is one of the most complex challenges for executives. It starts with an understanding that risk-based thinking should not be perceived as an overhead or tax, but a value added component of creating a high-quality product or service.

development automation

One solution is balanced development automation, which is about aligning automated DevOps (development and IT operations) pipelines with business risk and compliance. To attain this, alignment must be achieved between risk and business teams at two different levels:

1. Strategic level (CEO, COO, CFO, CRO, CIO, DPO)
2. Operational level (DevOps engineers, risk engineers)

The strategic level is more focused on delivery of business value, customer needs, risk, regulations, compliance, and so on. The operational level is focused on aligning to governance protocols like risk thresholds, delivery timelines, and automation during the build phases of business value creation.

Achieving alignment at the strategic level

At the executive level, both sides of business and risk need to concentrate on quality first – only then does it make sense to go about balancing risk and speed. Otherwise, risk and speed wind up as the only concerns and that risks poor quality showing up in products and services at the end of the line.

The end of the line in any process is where the actual customer that receives the value from a product or service experiences the touchpoint with your portfolio of valued items. It is there that perceived value needs to have the appropriate operational indicators. Some refer to these as customer-driven metrics. These are the ones that can measure Operational Key Results in alignment with operational risk metrics.

Once executive alignment is achieved on quality, the next step is to measure against key strategic customer metrics like attrition and satisfaction. This gives an indication of the value customers receive from a product or service. Organizations should think about appropriate high level metrics and measurements at the end of the development lifecycle, risk thresholds, and how these map to their customer. I consider these as the “parent” metrics.

After that, consider “child” metrics in the plan, delivery, and operation of DevOps – from here, governance and speed will come into play. A key problem today is the self-attestation audit activity at the end of the line process, which is hard to validate. This just doesn’t integrate well with a DevOps process because the measurement is reactive and coming too far down the pipeline. Worse yet, going back and fixing risk issues later on gets perceived as getting in the way. What needs to happen is a shift to the left of the development process where risk is measured early and often.

As organizations evolve into a more digital set of processes, this shift left is critical to understanding those key measurements from the beginning of the lifecycle. Otherwise, junk at the beginning will just automate junk faster all the way down the line. Eventually, there will be a higher price to pay for poor quality.

Achieving alignment at the operational level

Operationally, challenges stem from misalignment in understanding who the end customer really is. Companies often design products and services for themselves and not for the end customer. Once an organization focuses on the end user and how they are going to use that product and service, the shift in thinking occurs. Now it’s about looking at what activities need to be done to provide value to that end customer.

Thinking this way, there will be features, functions, and processes never done before. In the words of Stephen Covey, “Keep the main thing the main thing”. What is the main thing? The customer. What features and functionality do you need for each of them from a value perspective? And you need to add governance to that.

Effective governance ensures delivery of a quality product or service that meets your objectives without monetary or punitive pain. The end customer benefits from that product or service having effective and efficient governance.

That said, heavy governance is also waste. There has to be a tension and a flow or a balance between Hierarchical Governance and Self Governance where the role of every person in the organization is clearly aligned in their understanding of value contributed to the end customer. With that, employees and contractors alike feel empowered and purposeful in their work and contributions.

Once the customer value proposition is clearly identified, organizations can identify how day to day operations contribute value to that end customer in an efficient way. This is where lean thinking helps, looking for ways to reduce waste in the value creation process. If something is not a part of the value proposition, is it necessary? If something is missing that would add significant value, how can we add it? This will lead to an alignment that drives value creation.

Conclusion

Delivering on DevOps speed is no longer good enough. Organizations also need to balance the need for speed against regulatory, compliance, and security concerns—and we need to do this fast and first. If a firm can’t get there fast through re-structure of an operating model and associated skills, it is best to have SCRUM Masters trained in LEAN and Six Sigma, TOGAF, and assorted Cybersecurity GRC Frameworks to helps you through iterations. I call that the big “Iterative, Fast and First” (IFF) principle of GRC by Design.

Are the activities an organization is conducting offering something of value to the business? Answering this question has implications for both strategic and operational teams. The business value context sets up alignment with the end customer and drives value at each stage through balanced development automation.

A look at enterprise network and application modernization efforts

80% of organizations are struggling to reach application delivery requirements with their existing infrastructure. But, amid pandemic concerns, efforts to modernize networks and applications to address this challenge are accelerating with 83% reporting budget increases for these initiatives over the next three years, NS1 reveals.

enterprise network application

“Modernization was already on the radar for many organizations, but the pandemic has shocked the system and created a heightened sense of urgency,” said Kris Beevers, CEO, NS1. “Our research shows that IT leaders are accelerating projects aimed to increase efficiencies and business agility, improve application performance and user experiences, and drive additional revenue.”

Challenges to enterprise network and application modernization efforts

Within the broad scope of IT modernization, companies are prioritizing transformation initiatives for mobility (70%), remote data access (68%), automation (65%), security (61%), and IT resilience (60%).

Other areas where efforts are accelerating include public and private cloud deployments (58% and 57% respectively), improvements to scalability (58%) and deployment velocity (56%).

And yet, even with the heightened sense of urgency and budget behind them, survey respondents reported facing a number of obstacles in their IT modernization projects. Although four out of five acknowledge some progress with modernization, only 8% report that they have achieved their initial objectives, and 28% report “significant progress” (75% or greater).

Challenges to modernization include a talent and skills gap and competing priorities (37% each), as well as aging networks (35%) and the outdated, inflexible organizational structures that often come with them.

“Static, legacy tech drags down modernization efforts because it lacks the flexibility and agility necessary to support dynamic, scalable applications and IT environments,” added Beevers.

“Successful digital transformation starts with the underlying enterprise network and application infrastructure — DNS, DHCP and IP address management. When purpose-built for speed, reliability and scalability, these foundational technologies are critical in expediting modernization projects, automating network management tasks, and increasing efficiency and operational velocity in complex heterogeneous environments.”

Adoption and trends in the modern IT landscape

The study examined the adoption of modern technology across mid- to large-sized companies and uncovered the following trends.

The study found that 45% of respondents are currently using DDI, and another 48% plan to adopt the technology within 12 months. Adopters reported the most common use cases to be accelerating service discovery in microservices environments (60%) and connecting cloud and on-premise applications and data (56%).

enterprise network application

Those with plans to implement DDI cited the following use cases as the most appealing:

  • Connecting cloud and on-premise applications and data (59%)
  • Accelerating application delivery (55%)
  • Automating network management tasks (54%)
  • Accelerating service discovery in microservices environments (42%)
  • Controlling costs associated with application and network management (40%)

Modern application stack

Nearly all companies are adopting modern application stack solutions, many of which are aimed directly at addressing network and application performance requirements, including:

  • Network monitoring tools, which 96% of respondents were either already implementing or planning to, within 12 months
  • Public/private cloud, multi-cloud – 94%
  • Automation and orchestration solutions – 93%
  • Intelligent traffic management – 87%
  • Multi-CDN – 85%

Save-to-transform as a catalyst for embracing digital disruption

Organizations that invest in key capabilities today to navigate a post COVID-19 business environment can position themselves to thrive in the “next normal”, according to a Deloitte survey.

embracing digital disruption

The survey also found that expectations for positive revenue growth have declined significantly since the 2019 edition of the study, and two-thirds of respondents expect at least one more wave of COVID-19 relapses to occur. As a result, 66% of companies globally now expect to pursue cost reduction over the next 12 months, compared to 38% before the pandemic.

In addition, the percentage of respondents pursuing cost reduction targets greater than 10% increased by 61% (25 percentage points) compared to pre-COVID-19 levels.

The report, conducted between June and July 2020, aims to understand the short- and long-term impacts of the COVID-19 crisis on global cost management, performance improvement practices and transformation trends.

Survey results include responses from 1,089 global executives from 14 countries in the U.S., Latin America, Europe and Asia Pacific regions that have direct involvement in their companies’ cost management and enterprise transformation efforts.

Shifting cost management strategy from “Save-to-Transform”

The 2019 survey, conducted prior to the COVID-19 pandemic, found that the prevailing mindset for strategic cost management and enterprise transformation was “Save-to-Transform.”

In this approach, businesses evolve through infrastructure investments in digital technologies. In turn, these technologies can deliver dramatic improvements in competitiveness, performance and operating efficiency.

In response to the pandemic, the survey shows that organizations are evolving into a “Save-to-Thrive” mindset, in which they are accelerating strategic transformation actions specifically in response to challenges posed by COVID-19 to make shifts to their operating models, products and services and customer engagement capabilities.

“The Save-to-Thrive framework will be essential to success in the next normal as companies rely on technology and digital enablement — with a renewed emphasis on talent — to improve their plans for strategic cost transformation and overall enterprise performance improvement,” said Omar Aguilar, principal and global strategic cost transformation leader, Deloitte Consulting.

“Companies that react quickly and invest in technology and digital capabilities as they pursue the strategic levers of cost, growth, liquidity and talent will be best-positioned to succeed.”

Business challenges in a COVID-19 world

As countries responded to the pandemic by implementing restrictions such as stay-at-home orders and mandatory shutdowns, organizations began to experience demand-driven financial impacts.

According to the study, the top external challenge reported globally is a drop in consumer demand (74%), followed by a related shift in consumer behavior (67%). Cybersecurity vulnerabilities (65%) and supply chain challenges (65%) were also reported by survey respondents as top issues impacting their organizations.

In addition, industry-specific impacts are posing challenges — though they vary significantly by sector. A decline in revenue is expected by 61% of transportation sector and 60% of hospitality sector respondents, many of whose operations have been significantly curtailed by consumer demand and public health measures.

On the positive side, revenue growth is expected by 63% in the medical technology sector followed closely by telecom (58%), pharmaceuticals (58%) and software and information technology services (57%).

Finally, inability to adjust cost structure to meet demand is the top internal challenge globally and across all regions. Inability to meet employee safeguards and satisfy increased demand round out the top three internal challenges globally.

Coping with COVID-19: respond, recover, thrive

Current actions to address the COVID-19 crisis can be divided into three major stages: “respond” (immediate actions to respond to the crisis), “recover” (stabilize operations), and “thrive” (defined strategy with structural changes to thrive).

These stages culminate into a long-term operating environment we call the “next normal,” which represents new business conditions established as a result of the societal, commercial and technological changes caused by public and private reactions to COVID-19.

Today, survey respondents report that they are mostly in the “recover” phase as they respond to the immediate crisis and turn to recovery actions. The study also shows, as organizations move through these phases, that expectations for revenue growth, although down from pre-COVID-19 levels, remain somewhat positive in the respond stage (55%) and “recover” stage (58%).

In the “thrive” stage, the vast majority of companies globally (74%) and in all regions have a positive outlook for revenue growth, with only 24% globally expecting flat or declining revenue.

Lastly, automation has emerged as the top transformation action with about 2 in 3 companies expecting to pursue automation in all three stages of the respond-recover-thrive framework.

Succeeding in the next normal: New business conditions after COVID-19

When mapping out strategies to respond, recover and thrive, organizations should have informed insights about the future business environment. The 2020 Cost and Transformation Survey reports several trends that are shaping the next normal, including:

  • Revenue sources will be fundamentally different: According to the survey, the fastest growing revenue sources will be: digital channels; new products and services; and domestic operations.
  • IT infrastructure, remote work, and digital channels will be the top operating model priorities: The survey reports the top priorities as: enhance IT infrastructure (78%); enable remote work (76%); and enable pre-sale, sale and post-sale activities through digital channels (72%).
  • Top product strategies for the next normal focus on innovation, health and safety measures and customization: Globally, the top product strategies include: adjust, redesign or innovate your product/service offering to expand to adjacent and/or new markets (74%); leverage new health and safety measures by redesigning your current product/service offering (73%); and customize products or services to meet new customer and/or government requirements (74%).
  • Next normal customer engagement strategies will be driven by digital channels and flexible customer experiences: Globally, the most popular strategy for customer engagement will be to shift most transactions to digital channels (75%).
  • Cybersecurity and cloud will be the key technologies: Respondents report the most relevant technologies in the next normal will be cybersecurity solutions (80%) and cloud computing (80%).

“Our 2020 Global Cost and Enterprise Transformation survey shows how organizations that strategically pursue cost reduction in the wake of COVID-19, while concurrently reimagining the enterprise and transforming work and business models, can be more successful in the next normal,” said Sam Balaji, Deloitte global consulting leader.

“Investing in critical technology capabilities such as cloud and digital can increase business agility, improve competitiveness and better prepare organizations to persevere, and position them well for the post-COVID environment.”

Large-scale migrations away from on-premise environments are underway

COVID-19 has had a massive effect on DevOps, leading to large-scale migrations away from on-premises environments, a Codefresh survey reveals.

migrations on-premise environments

At the same time, DevOps automation continues to expand in scope and complexity with more and more processes becoming automated, and more involved technologies like Kubernetes continuing to gain strong traction. While it has improved some year-over-year, most organizations are still struggling with implementing and maintaining automation.

COVID-19 has led many to reconsider their on-prem infrastructure strategy

58% of respondents saying that due to the pandemic, they are planning on moving some infrastructure to the cloud with 17% of respondents planning to move their entire stack to the cloud.

In total, about 75% of respondents said that they are moving at least part of their infrastructure to the cloud as a result of the COVID-19 pandemic, representing a dramatic shift in strategy and further adoption towards the cloud.

DevOps budgets are going up in 2020

74% of respondents are expecting an increase and more than half are expecting their budgets to increase by 25% or more.

Organizations are continuing to invest heavily in their DevOps budgets as the effect of DevOps on developer velocity and site reliability continues to be better understood.

Most companies still struggling with commit-to-production automation

If your organization is struggling with complete commit-to-production automation, you’re not alone. Automation proves to be elusive as less than 5% of respondents claimed that all of their company’s DevOps processes are automated from Git commit to code running in production.

52% of respondents have less than 50% of their organization’s DevOps process automated from Git commit to production. This is down from last year’s survey, where 66% of respondents had less than 50% of their processes automated. This represents the continued trend away from manual processes as organizations build out their DevOps automation.

Kubernetes continues to build momentum

Kubernetes continues to build momentum, with most thinking that it will be used on more than half of new projects by the end of 2020. 73% of respondents said that they believe that by the end of 2020, more than half of new projects will use Kubernetes.

In 2019’s survey, 54% of respondents said that Kubernetes would be used in more than half of all projects by the end of the year. Clearly, Kubernetes adoption is continuing to accelerate. 75% of respondents said that they have either already adopted Kubernetes or are planning to adopt Kubernetes soon.

67% of DevOps engineers spend over a quarter of their time just fixing bugs

67% of respondents said that they spend 25% or more of their time fixing bugs in their automated systems, while 35% of respondents spend 50% or more of their time fixing bugs in their automated systems.

This highlights the importance of choosing a well-architected DevOps automation stack, as the platform you use can have a massive impact on the amount of time lost to bug fixing.

Pandemic accelerates investments in tech, automation, workplace transformation

Umpqua Bank released a survey gauging the impact of the COVID-19 pandemic on the confidence and future of U.S.-based small and mid-size businesses. More than 1,200 leaders at companies across all industries and geographic regions were surveyed on how their businesses are responding and what they will need in the months ahead to navigate successfully through a once-in-a-lifetime global pandemic event.

pandemic investments

“There’s no denying that the pandemic’s economic impact is deep and continues to be painful for businesses, but there is reason for measured optimism,” said Umpqua Bank President Torran Nixon.

“Small and mid-size businesses are showing resilience and ingenuity in the face of unprecedented disruption and uncertainty. Our research indicates that many have already made strategic pivots that in some cases have made them more competitive, and many more are preparing to pull all the levers at their disposal to emerge healthier, more efficient and better able to serve their customers in the long run.”

Survey participants come from businesses that weathered the initial economic shutdown but face continued uncertainty and are a primary audience for financial assistance through the federal Paycheck Protection Program.

They represent a broad cross-section of U.S. enterprises that drive significant job creation and prosperity, including middle market companies with at least $10 million in annual revenue that contribute $6 trillion to the U.S. economy annually and employ 44 million Americans.

Pandemic investments in tech, automation accelerate

Even as a significant majority of mid-size companies delay or cut spending in several areas, including outside vendors, marketing and promotions, hiring and benefits, nearly 5 in 10 have increased spending on technology, digital transformation or automation.

More than 80% of businesses have already begun automating or plan to automate tasks previously performed by workers, and 76% are exploring ways to digitize the customer experience.

Though smaller businesses are less likely to have concrete plans to make these shifts, moving toward automation and digital customer experience still rank as two of the top priorities for 29% and 46% of small businesses, respectively.

Companies adapting and reinventing their business

Mid-size companies in particular are making significant changes to lines of products and services, with 75% reporting they have or plan to do so. Roughly 30% of small businesses report a similar strategic shift.

Nearly 80% of mid-size companies have already (17%) or are likely (61%) to make changes to their pricing model.

The potential of long-term workplace changes

The U.S. workforce has experienced significant upheaval in recent months. According to the report, some of the changes could have long-lasting impact. Remote workplace, for example, could be here to stay as nearly 8 in 10 mid-size and almost 50% of small businesses are moving now and planning in the future to allow more employees to work from home.

More than 60% of mid-size companies are also likely to replace current employees to add different skillsets, as well as move away from a traditional staffing model in favor of utilizing more contract workers.

Measured 12-month optimism is coupled with planning for expansion

Nearly 7 in 10 businesses expect their revenue to remain stable (40%) or increase (29%) the next year. Another 66% expect their profitability to remain stable (40%) or increase (26%) in the next year.

Despite the challenging environment, roughly 70% of mid-size businesses are also thinking about expansion plans, with businesses in the Western U.S. leading all other regions in planning.

Some businesses are stronger, focused on positive, long-term changes

Though many businesses have been negatively impacted by the pandemic, not all businesses have been impacted adversely. Nearly a quarter of businesses report a stronger competitive advantage. Another 41% say they’re adapting and making changes that will make them profitable and competitive long term.

According to Richard Cabrera, Umpqua’s head of commercial & corporate banking, there’s tremendous opportunity for financial institutions to continue rising to the occasion following the Paycheck Protection Program by providing tailored solutions that preserve cashflow and create efficiencies necessary to remain competitive in the current and post-COVID economy.

“The stakes in the current economy are high, and the pandemic is clearly forcing companies to carefully consider key aspects of their business and go-forward strategy,” said Cabrera.

“With the help of experts in banking and other professional services, many small and mid-size enterprises will emerge from this crisis looking and behaving very differently, which likely will contribute to significant shifts in the U.S. economy as a whole.”

Most security pros are concerned about human error exposing cloud data

A number of organizations face shortcomings in monitoring and securing their cloud environments, according to a Tripwire survey of 310 security professionals.

exposing cloud data

76% of security professionals state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment. 93% are concerned about human error accidentally exposing their cloud data.

Few orgs assessing overall cloud security posture in real time

Attackers are known to run automated searches to find sensitive data exposed in the cloud, making it critical for organizations to monitor their cloud security posture on a recurring basis and fix issues immediately.

However, the report found that only 21% of organizations assess their overall cloud security posture in real time or near real time. While 21% said they conduct weekly evaluations, 58% do so only monthly or less frequently. Despite widespread worry about human errors, 22% still assess their cloud security posture manually.

“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, VP of product management and strategy at Tripwire.

“Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.”

OPIS

Utilizing a framework to secure the cloud

Most organizations utilize a framework for securing their cloud environments – CIS and NIST being two of the most popular – but only 22% said they are able to maintain continuous cloud security compliance over time.

While 91% of organizations have implemented some level of automated enforcement in the cloud, 92% still want to increase their level of automated enforcement.

Additional survey findings show that automation levels varied across cloud security best practices:

  • Only 51% have automated solutions that ensure proper encryption settings are enabled for databases or storage buckets.
  • 45% automatically assess new cloud assets as they are added to the environment.
  • 51% have automated alerts with context for suspicious behavior.