The average organization today develops 464 custom applications — some running functions critical to the business — and puts a lot of the software in the public cloud. IT security is in the dark about nearly two-thirds of these applications, according to new research released this week from nonprofit Cloud Security Alliance (CSA) and security software vendor Skyhigh.
It’s yet another worry for CIOs, who have been trying to work more closely with their business colleagues to stop the spread of shadow IT. Custom applications developed outside the purview of IT and run in the cloud are of particular concern. CSA chief executive Jim Reavis said such software is especially vulnerable to cyberattacks because it is often built by people who “lack the tools and expertise to protect applications they develop and deploy in the public cloud.”
And if there is a breach? CIOs could get the ax. The report also found that 29% of CIOs would get fired if a cyberattack involved core custom applications in the cloud — even if data isn’t lost forever.
CSA and Skyhigh surveyed 314 IT professionals from major industries worldwide about custom applications — software their organizations build themselves. The pair released the report at the RSA Conference, a cybersecurity convention held this week in San Francisco.
According to the report, IT security personnel are aware of just 38% of custom applications, which more organizations are relying on for “business-critical” operations — that is, they could bring business to a halt if they’re not functioning. Today, 73% of organizations run such essential operations in custom applications.
Increasingly, these custom applications are running on infrastructure from cloud providers such as Amazon Web Services, Microsoft Azure and Google Cloud Platform. The report found that 46% of business-critical applications are running in the public cloud or in the combination of public and internally run private cloud known as hybrid.
Cloud computing, the report said, makes it easier for departments to build and deploy custom applications without IT security’s involvement.
The survey found that while 63% organizations see public cloud providers as offering better security than their own data centers, concern persists about the security of custom applications in the cloud — with 32% “moderately concerned” and another 32% “very concerned.”
Data in the applications is exposed to threats “independent of the platform,” the report said. So accounts could be hacked through phishing, for example, or sensitive data could be uploaded to the cloud or downloaded to a device owned by an employee or other person.
The shift toward cloud infrastructure will continue, the report said. While 61% of application workloads are in data centers today, fewer than half, or 46%, will stay there in the next year.
“This rapid shift is partially due to new applications that are deployed in the public cloud, and because enterprises expect to migrate 20.7% of their existing applications running in data centers to the public cloud during this time,” the report said.
Who’s to blame?
If a cybersecurity breach brings down custom applications in the cloud, the CIO is not first in the firing line. Half of survey respondents indicated IT security personnel would get fired, 32% said operations folks responsible for monitoring the cloud infrastructure would get canned and 22% pointed to the developers who built the applications.
But the research also found that developers and IT security professionals would most likely take responsibility for a breach.
“Perhaps this indicates that at some level, developers feel responsible for the security of custom applications and could therefore be motivated to work more closely to IT security colleagues to secure these applications,” the report said.
CIOs should do all they can to nurture this sense of responsibility by making sure developers and IT security colleagues are working hand in glove.