Webinar Recording

Protecting Web Applications Amid Severe Staff Shortages

Log in and watch the full video!

Organizations are more dependent than ever on web applications for doing business with partners and customers, which means that protecting web applications has become business critical. But many companies are facing severe skills shortages exacerbated by the “Great Resignation”, and web application security is particularly hard hit. Automation is key to overcoming this challenge.

Join security experts at KuppingerCole Analysts and Radware as they discuss the importance of securing web applications, why qualified security professionals are difficult to find, and how organizations can use automation and managed security services to improve security, while reducing pressure on security staff. Richard Hill, Lead Analyst at KuppingerCole will talk about some of the challenges, complexities, and skill sets needed to maintain web application security and the areas where automation can help. Eyal Arazi, Senior Manager, Portfolio Strategy at Radware will explain what makes application security a unique discipline within cybersecurity, and how Radware uses advanced machine-learning algorithms and a ‘positive’ security approach to automate web application security and take the burden off organizations’ shoulders.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hello, I'm Richard Hill, a lead Analyst at Cooper Nicole. And today we're having a webinar about protecting web applications amid staff shortages. And this webinar is supported by Radware. And joining me today is Ira from Radware, a senior manager and also portfolio strategy. And before we start, we have some information and some housekeeping notes and then we'll jump into the topic of today's webinar. For now, everyone is automatically muted so there's no need to mute yourself and we'll be running some polls during the webinar, which we'll be sharing the results shortly afterwards. We'll also be recording the webinar and both the recording and slides, we'll be available on Cooper Kohl's website. In addition, we'll save some time at the end for question and answers to go to meeting control panel has an area to type in your questions at any time in which we'll answer towards the end. And with that, let's take a look at today's agenda. So I'll start out by talking about some of the challenges and complexities and skills that are needed to maintain web application security and other areas where automation could help. And then I'll turn over the webinar to i e from Radware who will talk about what makes application security and unique discipline within cybersecurity and how RA work had helped. And then finally, as I mentioned, we'll save some time at the end
For the question and answer session. So I thought we could start out by looking at the current state of IT cybersecurity workforce. And there are a number of reports of cybersecurity gaps globally, which only makes it just that much harder to defend against cyber attacks. And it's also putting increased pressure on business leaders to fill these gaps as well. And
It estimated shortage globally is around 3.4 million according to our latest report that's actually up 2.72 million back in 2021. So it's actually increasing the shortage gap. And then from the information system, Audit and Control Association released a report on the state of cybersecurity and for 2022, where a little over 2000 respondents completed the survey and 55% of those respondents survey generally do not believe that the applicants are getting are well qualified. And then the skill gaps in qualified cybersecurity professionals that they believe they lack in is 54 of the respondents mention cloud computing 34 in security controls like endpoint network application, 33% in coding skills, and then 30% in software development related topics. So there's maybe many reasons for this why employees aren't keeping up on their skills and you know, they, they need to be able to attend training and online coring and and performing or pursuing new certifications. And also there's a shift in increasing reliance on cloud security and increasing threats against data and other systems require new skills that need to be kept up with as well. And then finally, it takes time to fill cybersecurity positions. So 53 respondents reported the average time to fill an open position is three to six months. And what I show here is only some of the indicators that cybersecurity workforce needs to find some way to fill the gap in order to keep up with the increase in cyber attacks.
So let's take a minute to take our first poll. The question is on the screen in which you can enter your selection in the webinar pane. Your question in the poll is really meant to gauge the level of IT security staffing at your organization. So enter what you feel the level of staffing is and we'll give it a few more seconds to enter your selection and then we'll continue with the webinar. Again, the poll will be shown later in the webinar. So the results are coming in and we'll just give it another second and then we'll continue on.
So in its most basic form, automation takes a step-by-step process that would normally take a human interaction to execute and uses technologies of sorts to make that same process happen without human interaction. So automation in IT scenarios typically use triggers to invoke actions to streamline and end to end process. Like sending out a notification through a IT service management ticket, for example, maybe the ticket would go to a manager who has to approve it, access to something or you know, helping with a workflow process of some kind. And it can realize the benefits of automation when you approve the accuracy or reduce human error if the automation process is set up correctly and sufficiently test. So to ensure that there's air free processes. And then efficiency in the sense that improving the execution of tasks that are highly repetitive, which also helps employees offload boring and redundant tasks.
And then productivity where computer or machine driven automation doesn't get tired and could run 24 7 if needed. So you know, as long as it's monitored and maintained appropriately, it could deliver consistent results. And then there's flexibility when good automation tools could be easily reconfigured to fit new requirements. For example, an automation script that can be copied and modified to address a variant of an automation process use case. And then finally, you know, it reduces cost of labor with a caveat that you know, the return on investment and maintenance of the automation is taken into account. This also helps when there are labor or skills shortages in the market. So of course there are some challenges with IT. Automation if not appropriately or carefully monitored. But if automation is applied and implemented correctly, these benefits could be realized.
And often in product marketing, the marketing department will grab onto a technology buzzword and to highlight the product. And one of the most used buzzword in cybersecurity right now is artificial intelligence or ai. And when people hear this word, they most often go to what is called strong ai, which means in a broad sense that the idea that a computer has a mind exactly like or in the same sense as a human being has minds. This is not what we're talking about when it comes to cybersecurity products. Weak AI on the other hand, is more focused on solving specific problems. Typically it involves machine learning, which is a subset of AI using algorithms methods such as pattern recognition, outlier detection, deep learning, which can be applied to other technologies such as computer vision or language processing. And this could be further applied to information security and other areas of practical applications of AI research. And this is the type of weak AI that is being applied in all sorts of products today.
So putting intelligent tools such as ai machine learning together with automation techniques can provide a very powerful and effective intelligent automation capability to fill those gaps in cybersecurity. For example, deciding you know, which you know, applications or and websites for example should be on a block list or a white list. So that's one application. Another is, is bots in which software robots perform repetitive task imitate human user behavior. And what started out as being a good thing quickly became a tool for malicious web attacks and some of these malicious bots, even an attempt to log into user accounts. So another application in intelligent automation in this scenario can help distinguish between potentially malicious bots and benign automations such as shopping services and then being able to block attacks if the bot is malicious. And then there's detection providing intelligent capabilities to detect anonymous and malicious traffic.
Vulnerability remediation is another area for intelligence and automation, which could, you know, potentially detect web application misconfigurations or vulnerabilities and also perform input validations or auto convert vulnerability data into virtual patches. For instance, in our focus on web application programming interfaces have been steadily growing in the market and we're seeing the market covering the protection of APIs in multiple ways such as API gateways or access management solutions. And now WAFs are also filling the gap with its own API protection, combining web application and API protection known as W app capabilities and some level of API production. Due to that growing use and availability of digital services, APIs within the organization should protect against some of the most basic common threats. Typically a WASP API security top 10 vulnerabilities for example. And it also should be able to do things like validation checks on json XML formats or sche validation as well as many others that you see here. So this is another area in which intelligent automation could help.
And now we'll pause to conduct our second poll, which will be coming up here on your screen. Again, you can enter your selection at any time. Here we go. So this poll question is trying to gauge or what level of automation is supported by intelligence within your organization. And we'll just give it a few more seconds here and then we'll continue on. Okay, so recently I conducted market research on web application firewalls in the market. And I'll give an overview of our leadership compass process at Ner Cole. And then the results of my research. So first is the methodology that we take. So Cooper Hole conducts a very comprehensive process that was used with web application firewall leadership compass. So it was starting with, you know, deciding what that criteria is that believes the WF market should have, and then invite vendors to participate, evaluate their materials, hold briefings, and then do some background research on, you know, the maybe a vendor customer or reference calls or through advisory project and then rate the projects objectively based on the information we collected and then prepare the results. So it's a very comprehensive process that we take.
So there's different areas that we look at security, for instance, this is the measure of relations to three factors, which are, you know, vendors, what we believe they should provide and what they say they'll deliver. Integration, the need in which vendors have integrated individual technologies into their products. Interoperability, having that ability of a product to work with others, vendor products, standards or technologies. And then there's usability, the overall ability for to administer and maintain the solution over time. And then an additional ratings that we look at are innovation. So the vendor's ability to drive innovation in a direction which aligns with what Cooper or Cole understands of the market segment, market position, measuring position of the vendor has in the market. Financial strength, which could be an important factor for customers when making decisions and could be an indicator of how well a company could execute on their roadmap. And then the ecosystem, what's focuses mainly on the partner base and the ability to act as a good citizen in the IT environment and working well with other products and services.
So the different categories of leadership that we provide ratings for, for instance, our product leadership, which is based on the features and the overall capabilities, the various products and services we have. The marketship leadership looks at certain market criteria including but not limited to the number of customers, a partner ecosystem in its global reach, innovation, leadership, this is key capability in IT markets where you know, we're trying to measure, you know, what's required for keeping up with that constant evolution and merging customer requirements. And then the overall leadership is a combined view of the product market and innovation writings.
So some of the evaluation criteria, but not all is listed here. So WF basics, at a minimum a WF should provide strong core or the more traditional forms of WF protection. And this is covered in many of the most common types of protections against web attacks in are often found in O top 10 list I mentioned earlier. And then WF intelligence where we look at the level of intelligence used throughout the WF capabilities. DDoS protection, denial of service, which is good to have word, you know, certain types of attacks, attempts to make organization web applications and networks unavailable for those legitimate customers. Bot management, the solutions ability to provide automated bot detection and management as well as its ability to prevent false positives. For example, being able to tell between a good and a bad bot. API protection, this is, as we mentioned before, the level of API security such as protecting APIs against attacks using API authentication authorization, validating API calls and filtering and monitoring for example.
And then web performance enhancements. This is a good thing to have. Not all vendors are able to do this, but the ones that do have web app acceleration and CDN support, which means that they need to have a good geographic regional network and capabilities such as H G P optimization and catching and prefetching as examples. And then other features not shown here but are important to consider are the centralized management in reporting, which is, you know, a set of WF management capabilities, like having the centralized location to configure and manage WF security policies, rules. And then having dashboards where you can see monitor types of attacks, availability and performance and alerts and then be able to generate reports for compliance. And then lastly, that admin and DevOps support, which you know, helps the administrators and operation teams to support their tools and automation and continuous integration. So quickly I will go over some of the results from that WF leadership Compass. Most capabilities that we're looking in the WF market are in the top segment of this graph. And then here are the innovation leaders, which Cooper or Cole considers the ability to keep up with emerging customer requirements that they're facing. And then the market segment is comprised of many factors, but market leadership from our point of view really requires that you have at least a global reach of customers.
And then finally the overall leadership rating is that combined view of those three prior leadership categories, product innovation and market taken together to give an overall view. And so these vendors can range from strong to weak in any of these three areas. So you really recommend you look at all the leadership categories and individual analysis of the vendors and their products to get a more comprehensive understanding of really, you know, who are the players in the market. So I think I will stop there and turn over the next part of the webinar to i e from Rodwell, I from RAD work. You
Okay? Hello there. So Richard, thank you so much for the introduction and for walking us through both your report and really the requirements for automation in application security today. And as Richard explained, you know, what you've been seeing over the past 18 months in terms of the staff shortages has really impacted the way that organizations are approaching the security to of, you know, their, their web applications and other web facing assets. This is becoming increasingly, you know, more concern and more a requirement from customers. And indeed this is something that we as RA see on the vendor side and something that's reflected also in our product line. And you know, looking from it from an Analyst point of view, as analysts, you know, are starting to look at this more and more such as in the cope Jul, we off campus, we've been fortunate enough, you know, to be recognized as a leader, not only on the industry as large, but across all the different subcategories within the, the report as Richard explained.
So really going back to, you know, going back to Richard's, you know, points we're facing today, really these huge staff shortages, some which are have been always a problem. You know, this has always been a problem with cyber security and some of which has been really exacerbated during the pandemic, you know, the, the COVID pandemic. And you know, from RA's point of view, this isn't indeed something that we have to take into consideration as we approach the marketplace. Rather just to give a couple of words of introduction is a leader in the web and web application security market. As Richard pointed out, we are a leader both in the coal compass as a whole as well as the individual categories. And we provide, you know, a leading global service which is provided as a cloud service with a globally distributed network. We provide a full range of secure of web security services including web application, firewall, bot management, API security, and DDoS protection.
And we also have many of the augmenting solutions which customers have come to expect today as Richard mentioned, including CNN and service, for example, as well as increasingly public cloud protection to, to augment and complement the web application protection. So however, as going back to the issue of automation and step shortages, as organizations, you know, are trying to face and looking for solutions for these, for these staff shortages, they're really facing a number of options. So first of all, I mean if they have a staff shortage or, or skill gap, first of all they can do nothing about it, but which is, you know, technically an option, but it's not really an option and not something that's survival to do. So that's off the table. Another option that they can do is put the wrong people in it. So people who don't have the staff, who don't have sorry skills don't have the expertise and you know, it's not perfect, but this is something that we do see in fact happening a lot in the marketplace where traditional network security and IT people are being placed in application security rules just because, you know, there's no option and no solution.
And although this provides, you know, temporary solution, it's only a stop gap because although it might address the staff shortage, it does not address the skill gap and the expertise gap. And the third option is, as Richard explained, use automation. And this is something where we see really the market moving forward, you know, and customers requiring more and more. Now from a CISO's perspective, the this creates a challenge of how do you maintain or how do you find application security, which is at once both state of the art in terms of the protection that it can provide you, but at the same time almost also fruitless in that it provides security integration and low operational overhead so that it does not get in the way of your day to day operation and doesn't, you know, kind of throw a wrench into the operations of application development and deployment.
And you know, this is the Cecil challenge and in RADS view, organizations shouldn't have to choose. Now as we dive deeper on this issue of automation, what we discovered is that in fact there are two levels of automation. And a lot of times when we talk about automation as concept, I think Richard alluded to it to some degree, there is, there are two levels to it. First of all, there's automation of the security process itself of the actual security. And this includes things like traffic learning, auto policy generation, discovery of API endpoints and just overall, you know, any type of practice which reduces the need for human touch in generating adaptive security, which is adapted to the specific criteria of the application or the asset. And on the other hand, you have automation of the deployment process and this is becoming equally important. And this is the, the, the relating to the issue of frictionless that it does not get in the way in the sense of integration into the C I C D pipeline into continuous integration, continuous development and deployment.
It relates into shift left security of moving security from, you know, the end goal of, or the end process of applying only once the asset is deployed to shifting left, to applying it already during the development and deployment process. So it's a continuous process that security is inherently part of it and just in overall reducing the barriers between our security and, you know, kind of the traditional CSA role and deployment, the traditional DevOps role, and this is again where Radware with this technology is really here to help organizations. So RAO provides state-of-the-art protection, which is almost exclusively based on very sophisticated machine learning and artificial intelligence algorithms. And these are deployed across multiple levels of protection, whether it's DDoS protection, application protection, public cloud protection and so on, where, you know, again, different types of algorithms attempt to not just rely on a, you know, set of predetermined known attacks and just block those. But it actively attempts to identify and establish what is recognized as legitimate user behavior and then kind of augment it, identify what is non legitimate and non-standard user behavior and block all of that based on, you know, this based line of machine learning.
RABU prides itself on, you know, being a leader in this category and you can see in just an example of some of our patents or pen applications from the past couple of years. This is something that we invest a massive amount of, you know, time, effort, and resources into. And ultimately this is what feeds the underlying technology and underlying algorithms which power our security solution. So in terms of the, the machine learning algorithms, and I'll, you know, not gonna get too technical in here, just give, you know, tiny bits of kind of the tip of the iceberg. We use multiple layers and different approaches based on both supervised and supervised in machine learning, both based on direct threat intelligence and threat research by our teams as well as crowdsourced information from our general cloud security network from all of our customers. So using all of these, all of this data, this is fed into our data lake where, you know, using these machine learning algorithms, first of all we identify normal behavior on per application and per user level and we establish a baseline of what constitutes, as I explained earlier, legitimate user behavior.
And then of course, you know, we, we use that baseline to detect any type of deviation or anomalies from that baseline. Then once we have that baseline in place, we classify attacker behaviors again based on, you know, deviations from expected user behavior as well as cloud source data for RA's global security network. And on top of that we add a layer of pattern mining to detect unknown attack patterns and zero day vulnerabilities. Know all of this is part of our approach of, you know, the positive security model where, you know, whereas many of the solutions in the market apply only a negative security model of ID of identifying malicious behaviors and then applying manually and static static manual rules to block those. We take, you know, all this data from both our data lake and the pattern mining and the art and the machine learning algorithms that I mentioned earlier to apply a layer of positive security model which learns and defines legitimate user behaviors and then blocks anything which falls out of it.
And this is really key because this helps to protect against, you know, the unexpected zero day in unknown vulnerabilities. And this is really what sets us apart for many of the other competitors in the market. And again, you know, gladly we've been recognized, you know, by Analyst such as Richard in his leadership compass for a web application firewalls. And this really provides ultimately, you know, the higher level of protection for, you know, full o top 10 protection and beyond with a minimal amount of false positives. Now another place where we apply this, these layers of automation is in APR protection, which again, Richard talked about a little bit where it's not enough to know what API and API endpoints that you have, but it's important to constantly be on the lookout for either new APIs, new endpoints or changes in your existing schema because you need to constantly be applying protection to them.
And again, this is what we do through our process of API built in of discovery, which first of all ascertains, the existence of APIs then takes it, you know, one or two levels down of identifying into the individual endpoints as well as the individual parameters and structure of each endpoint. And then applying automatic and adapted API security to that specific API structure and API schema structure and ultimately, you know, translating it into a swagger file, which again can be used to, to apply for cap. Another practice which we are engaged in is using actually reducing the manual. And again, going back to the issue of automation, reducing the manual, the need for manual operations on the side of the user, in this case, eliminating processes which interrupted the user experience such as a capture, you know, capture, I'm sure all of us have, you know, come to have come across it and come to hate it in all its various forms because it's an interruption, it gets in the way, it's time consuming.
Sometimes it, you know, even failed the blocks from doing what we need to do, which is again, why RA developed a new algorithm of identifying automatically identifying bad bots, marking them as such and for bad buffer to identify, use crypto challenge or crypto channel based algorithms really to keep them busy while legitimate users are, you know, left unhindered. One more point, and this is again going to some of the topics that Richard talked about in terms of global intelligence. So rather of course, as I mentioned earlier, collect information from our, from our globally distributed network and all of our customers, however we take it one step further with an active network of honey pots, which we call the active attacker speed, which actively goes out in order to lure active attackers who are out there even before they attack necessa necessarily any Radware customers and identify them through our deception network to lure malicious attackers and identify the sources where these attacks and attackers are coming from and block them before they even ever approach a radware customer or make it into the RA network.
And you know, combining these with intelligence feeds from Radware and Cloud security network, this provides for full coverage of both known and unknown attackers and kind of augments the layers of security where of that the customers, you know, are expecting and need to deploy. A great example for this is the log for J attack late last year, late in December of 2021, where even before this was a recognized exploit and a cve, which King aft, this was recognized by radware within our data lake, both in attacks that we had seen as well as the pattern mining. And again, based on the positive security approach that we mentioned earlier, we were blocking these attempts even before this was an officially recognized CBE and route customers were protected essentially from day zero. And again, you know, something a little bit more time relevant, this is the spring for Shell critical vulnerability wasn't as known, you know, as the log for shell incident, but you know, still a very serious incident.
And again, we were able to repeat this process and block attacks, you know, from day zero or day one even before an official CV and official patches came up, which again goes to the strength of positive security approach that Radware is taking. Now if we step back for a moment from, from the issue of automation itself, another practice which radware uses to help reduce the burden off of organizations facing, you know, staff still shortages is the, our expert fully managed security services. So RA's, cloud security services by definition are a managed or are a managed security service. So that means that every customer that joins our CloudApp or CloudApp service is backed up by our ERT or emergency response team, which is a team of experts who are day in and day out engaged in networking, application security and protection. And this is really, you know, this is the, their bread and butter, they are, you know, experts in this.
They do, they do this day in, day out 24 hours a day. And this is exactly the way in which Red was able to bring this level of expertise directly to customers without requiring them to train their own staff. And of course, having RA staff, you know, take the burden off of the customer's shoulders, help 'em with security policy configuration tuning, do 24 7, 365 monitoring, provide a tact time support, you know, it is needed. And again, just as another measure of taking the burden off of the shoulders of the customers and engaging in team that this is their expertise. So, you know, taking all this, you know, together, you know, this is really the value that Radware brings to organizations and to customers, which, you know, combines our full coverage of application threats through, you know, our comprehensive suite of wf, BCA security, DDoS threat intelligence and more, which is all based on sophisticated behavioral based machine learning algorithms across all of our products, which take a positive security approach.
This is augmented again with security innovation such as the bot crypto challenge, API discovery out of patha for public cloud environments and so on, which ultimately, you know, provides comprehensive protection across a single technology stack with multiple deployment options leading to industry le leading security, low rates of false positives and minimal and frictionless, you know, minimal operation effort and frictionless deployment which is necessary for today's business environment. And again, you know, we are glad to be recognized by leading industry analysts such as Richard, you know, for our efforts and for the leadership that and innovation that we bring to the market. So this is it for my section here. So Richard again, thank you for your section and I think that this leads us now into the q and A segments.
Thank you. So now we'll move on to the question and answer quick look at the polls that we conducted. So let's go to the first poll. Do you feel your organization's, IT security is adequately trained in staff? Half of said totally agree and 50% says do not agree. So that's interesting. It's the halfway mark and we'll move on to the next poll. And this question was, do you feel organization's IT security is adequately trained, or excuse me, adequately using automation to and being supported by intelligence? 67% said maybe I somewhat agree. Well, 30% says 33% says I do not agree. So that those are interesting results. I'll, do you have any response to those polls or does that, is that what you're seeing on your end?
The exact rates again might vary between, you know, your specific, you know, the people that that you're asking or the, you know, the, the numbers. But you know, I think this is very reflective of the market where perhaps not everyone is impacted by these staff and school shortages, but a large percentage of customers and companies are, and this is creating, you know, a real problem. And I actually think that the, the results of the second question about the usage of artificial intelligence and machine learning in security was, was actually more indicative because, and more telling because, you know, this is really something that is being talked about. It's an issue that's out there, a lot of products are using it to a certain degree, but right now there's a difference between, you know, in a lot of solutions between just saying, oh yes, we have it and actually deploying it in a meaningful way that is actually, you know, helping and making a difference in, in, you know, the, the user's lives and customer's lives. And I'm talking here in the sense of security people in the sense that it actually saves them time and increases their response rate. So I think this, the both of these questions are re very reflective of what we're seeing here in the market at large.
Okay, thank you. So let's move on to the questions. So let's see, the first question. In your view, what are the critical capabilities for achieving application security automation?
That's actually a, a really good question and I think there are a number, and again, it might vary between, you know, specific algorithms or you know, capabilities, but there are a number of critical capabilities that you wanna make sure that you're hitting on. First of all, you need to have, and it's very important to have that, you know, technological base that you know, powers it. And a lot of times it's difficult to judge per se about, you know, the strength of a particular algorithm, but it is useful to look at, you know, the identity of the company, their track record, Do they have a history, you know, leadership in artificial intelligence or are they just making claims of yeah, you know, artificial intelligence, ai, you know, we're using them just as everyone else does. So that's one. Another critical capability I think is those two layers of automation that I mentioned earlier of, you know, both automation of the security process itself as well as automation of the deployment process.
Making sure not, not just that, you know, the security itself is automated, but it also, you know, in a meaningful way is integrated into your, you know, technologies into your own technology stack, your deployment process and so on. And the third is kind of in the data day usage suggest of seeing, you know, are there features here or are there capabilities here in this, you know, automation that you know will actually make a difference in your day-to-day lives? Or is it, you know, reducing the number of false positives? Is it giving you actionable insights or for example, something that on RA's we do is providing fos, you know, identifying potential false positives and offering fixes to them or is it just, yeah, we have it in the background, but you know, it does actually impact you in any meaningful day to day way. So I will look at all three of these in critical, you know, CRI criteria or critical capabilities in order to see, you know, is this automation that will actually help me in maintenance.
Okay. And this next question is what I'm interested in as well is how do you see the need for automation I'm unfolding over the next 12 months? What trends should we
Report? So I think it's gonna con continue in with the current trends of, you know, we're seeing this massive shortage of both, you know, staff and, you know, skills. So it's both, you know, the absolute numbers of people themselves and I think he provided some, some of the stats that allude to that in the beginning of your segment. So both, you know, the number of people you know itself as well as the skills that they have. It's not, you know, do you have, it's not only do you have the people, but do you have the right people? And this is something that has always been in the background of cybersecurity. You know, I don't think there's ever been a CISO who says I have enough people and I have enough budget, but I, I think that the pandemic was really a catalyst and kind of an accelerant for these processes. And this is something that we saw, we've seen explosive growth on in the last 12 months. And I think that we're gonna be seeing more of the same over the next, you know, 12 to 18 months as well, where this is gonna be increasingly a problem, it's gonna stay a problem and as a result, organizations will probably be looking increasingly for automation capabilities and managed services, which will help them reduce their reliance on, on human labor.
Okay. And it looks like we have one more question here on the screen. So how do you see cloud migration affecting the need for security automation?
So this is actually, again, very good question and I think that it helps, I think again, it's gonna make things, you know, more worse and more pressing because you know, the, the issue of cloud migration has been, you know, discussed heavily for the last five or even 10 years. And I think we've reached a point now where organizations are no longer migrating to the cloud. They're, they're already there, but now comes the next iteration of the cloud movement and it's the multicloud. And this is something that we see about si in our practice, about 60% of customers are using multiple cloud environments concurrently. They're doing, they're using multiple public cloud environments. They're using public, they're using still their on-prem environments to a large degree. They're, they're also using private cloud environments. And this is creating, you know, this is really, you know, the multi-cloud is really multiplying their problems, so to speak, where they have to manage multiple environments with differentiated sets of, you know, security policies, security coverage, protections and dashboards. And again, this raises the need for automation kind of across the, across the entire architecture and across the different platforms they're using in order to have consistent, comprehensive and single security management across the board. Again, this is where RAD and work can contribute to, to organizations.
Okay, so that is all the questions that we have for today. You know, I'd like to thank the audience for attending and of course I yield from RADWARE for your insights, so please see additional resources both on the Cooper, Nicole, and Red wear websites. And thank you for attending the webinar. Thank you.
Thank you Richard. Thank you everyone. Have a good day.