Security Habits of the Highly Confident

Lori MacVittie Miniatur
Lori MacVittie
Published March 13, 2017

Insights from the 2017 State of Application Delivery

Executives and security professionals alike are a pragmatic bunch, at least in terms of their confidence levels in withstanding application layer attacks.

Interestingly, neither group is likely to be pessimistic about their chances of battling off such attacks. Only 5% of each group in our State of Application Delivery survey had no confidence in their organizations’ ability to withstand an app layer attack. But that doesn’t mean they’re optimistic about their chances, either. Only 10% of security pros and 13% of execs were highly confident they can do battle with the bad guys and win at the app security game.


Indeed, their views were far more weighted somewhere in between, where pragmatism (realism) lies.

Forty percent (40%) of security folks were on the fence, neither more or less confident. A similar percentage of execs (37%) agreed. Which seems a reasonable stance to take these days. You might be confident you can withstand what you know, right now, is out there. But that’s the problem with security, the unknown is about to become a threat.

So what makes that 10% or so of security pros and executives so highly confident in their organization’s security posture? What is it they know that perhaps others don’t?

services deployed by confidence soad17

To find out, I started slicing and dicing data. We mentioned in the full report it appeared the deployment of a web application firewall and to a lesser extent, DDoS Protection, contributed to the confidence levels of respondents with respect to withstanding application layer attacks. But of course these aren’t the only two security services available; we’re tracking eight of them at this time.

It would seem reasonable, then, to assume that other security app services might have an impact on the confidence folks have in their organizations’ security posture. A quick dive into the data showed that might just be the case.

For each of the eight security services we are tracking, we found a higher percentage of services deployed by those with the greatest confidence. The difference in deployment status by confidence level of each service was generally dramatic. On average, respondents with the lowest confidence had an overall 24% lower deployment status of app security services. Fewer security services, lower confidence. Coincidence? I don’t think so.

But it’s not just deploying security services that might contribute positively (or negatively) to confidence folks can withstand an app layer attack. How you employ those app services in the service of securing apps matters, too.

surface protection by confidence soad17

Every year we’ve asked folks how they’re protecting apps. We identify three primary attack surfaces in need of protection: the client, the request, and the response. That’s because each offers a unique point in time with varying security tactics (and thus services) to better secure and defend apps and their valuable data. We ask respondents to describe how consistently they apply security policies to each of the three surfaces: always, never, or sometimes. At this point, I’m sure no one will be surprised to learn that folks with the highest confidence always protect all three surfaces. And conversely, those with the lowest tend to never protect any of the surfaces. 

Obviously this isn’t the only factor that plays into confidence level. A small percentage of folks with the lowest confidence always protect these attack surfaces. And conversely, some with the highest confidence never protect these surfaces. The fact that folks with the lowest confidence must sometimes protect these surfaces says it’s a contributing factor, but certainly not the only one or there’d be a higher correlation between never protecting surfaces and the lowest confidence. 

Still, more than half of those with the highest confidence always protect the client (60%), the request (61%), and the response (57%).

Coincidence? Again, I don’t think so.

Of course we can’t draw a causal relationship between the deployment and application of security app services and confidence levels, but we can clearly see there is a correlation between them.

IT pros with the highest confidence in their ability to withstand application layer attacks are more likely to deploy security app services and proactively protect all three attack surfaces than their more pessimistic counterparts. Something to consider if you’re feeling a bit “meh” about your chances to defend against whatever tomorrow might bring.