Global organisations are increasingly embracing Security-as-a-Service (SECaaS) solutions while also accelerating zero-trust and AI adoption, according to F5’s 9th annual State of Application Strategy Report (SOAS).
Forty two percent (42%) of respondents to F5’s flagship research report claim that the “speed of threat mitigation” is the main reason for turning to SECaaS, which involves leveraging cloud-delivered models for the outsourcing of cybersecurity services. 18% also indicated that SECaaS helps them deal with a lack of internal talent.
“In an increasingly app- and API-driven economy, cybersecurity operations must move at a sprint to stay ahead of quickly evolving attacks,” said Lori MacVittie, F5 Distinguished Engineer, and co-author of the SOAS Report.
Racing toward zero trust and AI
Velocity is also a factor in the rise of zero trust security models: more than 80% of respondents said they are adopting zero trust or plan to do so.
Overall, zero trust tied with the convergence of IT and operational technologies as the report’s most exciting global trend for the next few years, moving up from third place in 2022.
Notably, the promise of faster reaction speeds is accelerating the use of AI/ML for security. Nearly two-thirds of organisations are planning (41%) or have already implemented (23%) AI assistance. Those already using AI or ML ranked security as their top use case. Security was also listed as a primary driver for those still in AI or ML planning mode.
In addition, speed continues to motivate ongoing automation efforts. In 2023, network security ranked nearly as high as systems infrastructure as the third-most automated of the six core IT functions. Network security, which is increasingly offloaded to service models, is also benefiting from the application of AI.
Platforms and zero trust frequently go hand-in-hand
Another key SOAS finding was that nearly nine out of 10 respondents (88%) said their organisations are adopting a security platform.
Almost two-thirds (65%) expect to use a platform for network security or identity and access management. Meanwhile, 50% are moving to a platform to secure web apps and APIs from the data centre to the edge. Another 40% want a platform for business security needs, such as anti-bot and anti-fraud solutions.
Security is a top edge workload
Of all organisations planning workloads for the edge, half expect to place security workloads there. However, almost two-thirds of respondents currently adopting zero trust strategies plan to deploy security workloads at the edge, in recognition that fully executing zero trust—and gaining its full benefits—requires the use of the edge to secure every endpoint.
Interestingly, although security services are the top edge use case, the edge workload growing fastest since 2022 is monitoring. The SOAS Report posits that this could be a reflection of multiple factors, including the explosion of remote work, IoT applications, the tendency toward wide distribution of applications, the global reach of markets today, and enthusiasm about the IT/OT convergence, which will depend on real-time data to guide process adjustments.
More organisations need to adopt a secure software development lifecycle
A common theme in this years’ report is that strong security starts well before deployment, regardless of where those workloads may be hosted. Accordingly, three-quarters (75%) of respondents are adopting or plan to adopt a secure software development lifecycle (SDLC).
“Security and risk management are not a ‘one and done’ activity that can take place only at the infrastructure or app deployment levels, for instance,” explained MacVittie. “Rather, comprehensive, and consistent protection requires multiple, coordinated efforts over time and across IT and business roles. Addressing security as apps are developed saves time lost in trying to retrofit later, not to mention mitigation once an attack has succeeded.”
Encouragingly, most organisations are becoming more proactive and looking upstream to mitigate all possible risks. Concerns about software supply chain security, for instance, are being addressed in various ways. The most popular approach is adoption of a continuous audit cycle. More than one-third of businesses (36%) are building a DevSecOps practice, and more than one-third (38%) are training developers in secure coding practices.
Organisations in the financial services and healthcare industries are most likely to address software supply chain security in some manner. At the same time, nearly one in five organisations (18%) apparently have no concern about software supply chain security and are making no plans to address it.
The way ahead
The SOAS Report emphasises that, as app portfolios become increasingly modern, organisations will continue to adjust their deployment architectures to balance operational and market demands and to find the right distribution between on-premises, cloud (whether private, public, or both), and edge environments—as well as which apps to consume as SaaS. Consolidation will occur, but the vast majority will use hybrid and multi-cloud models indefinitely.
“Ultimately, the simplest way to obtain the comprehensive protection that provides resilience and agility will be to use environment-agnostic solutions, consumption models, and vendors that protect both apps and infrastructure everywhere,” said MacVittie.
“The ability to implement uniform security policies for any app and any API, anywhere, is important. Security platforms, including SaaS-based services, can help secure hybrid apps and APIs across all host environments, from the core to the edge, with policy consistency, broad visibility, and simplified management. This type of approach can defend both modern and traditional architectures and hybrid apps with WAF, DDoS protection, and bot defences integrated with behavioural-based intrusion protection and attack mitigation for the entire security stack. Such effective security, running at the speed of business, protects what matters most while unleashing the organisation’s potential for growth.”