Osterman Research Survey Finds 84% of Companies Have Only Rudimentary Capabilities for Securing Their Cloud Infrastructure

Report Commissioned by Ermetic Reveals More Than Three Quarters of Organizations Do Not Have a Dedicated Cloud Security Team; Identifies Top Five Priorities Shared by the Most Mature Organizations

BOSTON & TEL AVIV--()--Ermetic, the cloud infrastructure security company, today released the findings of a research study conducted by Osterman Research on the cloud security maturity level of organizations in North America. The survey found that 84% of respondents were at an entry level (one or two) in terms of their cloud security capabilities and only 16% ranked at the top two levels. Meanwhile, 80% of companies reported they lack a dedicated security team responsible for protecting cloud resources from threats. The survey also revealed the top five priorities that all highly mature companies have in common when it comes to cloud security.

Osterman Research surveyed 326 organizations in North America with 500 or more employees and who spend a minimum of $1 million or more each year on cloud infrastructure to establish an industry baseline against the Ermetic Cloud Security Model. The model was designed to provide organizations with a lightweight framework for determining their maturity level (1 - Ad Hoc, 2- Opportunistic, 3- Repeatable, 4- Automated & Integrated) across multiple domains, while allowing them to develop a specific, actionable roadmap for advancing their capabilities.

“One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed,” said Michael Sampson, senior analyst for Osterman Research and author of the report. “Less than 10% of companies with more than 10,000 employees reported being at the top two maturity levels, while nearly 20% of smaller enterprises have achieved repeatable or automated & integrated cloud security capabilities.”

Other Report Highlights

  • Demonstrable ROI: 42% of companies investing more than 50 hours per week on cloud security are achieving the highest levels of maturity (Levels 3 and 4)
  • Bigger not better: Only 7% of companies with more than 10,000 employees were at level three or four in terms of maturity, compared with 18% for companies with between 2,500 and 9,999 employees, and 24% for companies with 500 to 2,499 employees
  • Overall, maturity is low: 84% of companies were at level one or two (41.5% Ad Hoc and 42.5% Opportunistic) and only 16% at level three or four (11.1% Repeatable and 4.9% Automated & Integrated)
  • More clouds doesn’t equal more maturity: the percentage of companies that ranked at the highest levels of maturity (3 & 4) decreased with multicloud usage. For example, the number of organizations achieving Repeatable or Automated & Integrated security capabilities dropped nearly 50% when going from one (10%) to three (6%) cloud platforms
  • Shared blindspot: 81% of organizations lack full visibility into all resources that are directly accessible from the Internet

“This survey makes two things very clear. Without the right tools, spending lots of time and resources on cloud security will not necessarily make you more secure,” said Shai Morag, CEO of Ermetic. “And, by focusing on the right priorities you can achieve a very high level of security maturity regardless of your organization’s size.”

Five Habits of Highly Mature Companies
Organizations that reported focusing on the five following security priorities achieved the highest levels (3 or 4) of maturity:

  1. Detecting general cloud misconfigurations (e.g., unencrypted resources, MFA)
  2. Achieving the ability to track and investigate activities performed by human users and applications/service accounts across the cloud infrastructure
  3. Establishing Just-in-Time (JIT) access for developers / DevOps / Cloud operations teams to cloud infrastructure environments
  4. Evaluating and reporting on alignment with security best practices (e.g., AWS well-architected, CIS) and compliance standards (e.g., NIST, ISO, SOC2, PCI-DSS)
  5. Achieving least-privilege for identities in the cloud (both human identities and service accounts)

A full copy of the survey findings is available here:

Organizations that want to benchmark themselves against the Ermetic Cloud Security Maturity Model and their peers can access a free online self-assessment here:

Finally, Ermetic will host a Webinar to discuss the report’s findings and the Ermetic Cloud Security Maturity Model on Wednesday, August 17, 2022, at 10:00 AM PT / 1:00 PM ET. The report’s author, Michael Sampson of Osterman Research, and the creator of the maturity model, Lior Zatlavi, Sr. Cloud Security Architect at Ermetic, will present. To register visit:

About Ermetic
Ermetic helps prevent breaches by reducing the attack surface of cloud infrastructure and enforcing least privilege at scale in the most complex environments. The Ermetic SaaS platform provides comprehensive cloud security for AWS, Azure and GCP that spans both cloud infrastructure entitlements management (CIEM) and cloud security posture management (CSPM). The company is led by proven technology entrepreneurs whose previous companies have been acquired by Microsoft, Palo Alto Networks and others. Ermetic has received funding from Accel, Forgepoint, Glilot Capital Partners, Norwest Venture Partners, Qumra and Target Global. Visit us at https://ermetic.com/ and follow us on LinkedIn, Twitter and Facebook.


Marc Gendron
Marc Gendron PR for Ermetic

Release Summary

One of the most unexpected findings that emerged from this study was the lack of cloud security maturity among the largest enterprises surveyed.

Social Media Profiles


Marc Gendron
Marc Gendron PR for Ermetic