In November 2017 we put out a call for input into our fourth annual State of Application Delivery survey. Much to my delight, 626 security professionals—43 of whom identified as CISOs—answered that call.
I’m delighted by that, because security is one of the most significant disciplines in IT today. In fact, security is a priority that has firmly displaced availability as most important when deploying applications. And it’s not just security pros who think so. Over 3,000 respondents across the globe overwhelmingly tagged security as the service they would not deploy and application without.
Among security professionals specifically, the gap is even more significant: 47% chose security and only 26% said availability.
This isn’t a surprise—security has been steadily ascendant for the past three years. In 2015, availability was the clear leader at 40% over security’s 32%. But the next year the two categories were neck and neck and last year, security bolted ahead of the pack. Its lead has only increased at the expense of identity and access management and, despite its importance to consumers, performance.
The critical nature of security services shows through in the app services deployed today in companies around the globe. Three of the top five are pure security application services: network firewall, anti-virus, and spam mitigation. A fourth, SSL VPN, is security-related, at least, though we categorize it as being part of “Identity and Access Services.” The fifth? Load balancing, of course.
The domination of security among currently deployed application services is not minimal, either. Every one of the top services boasts current deployment rates at greater than 3 in 4 respondents.
Despite the pervasive deployment of security-related application services, confidence in the ability to withstand an application layer attack is waning. Security roles are slightly more confident (42%) than all other roles (40%) in their ability to protect applications in general. Interestingly, these results change when location is considered. In the public cloud, security pros are less likely to be “more confident” about protecting apps (35%) when compared to other roles (37%). When apps are on-premises, however, security pros tend to be more confident (62%) as compared to the 58% of other roles who say the same.
The difference in confidence between protecting apps on-premises and in the public cloud is staggering in all cases, despite the extensive use of multiple security-related services designed to protect applications in both environments. Respondents use an average of 2.7 different security application services specifically to protect applications.
But security pros know that there’s more to protecting apps than that. There’s a broad spectrum of attacks that can lead to a compromised position or a breach. A plurality of respondents indicate use of many other security application services, with only DNSSEC currently lagging behind.