Cloud Security Starts with Expertise: Lessons from RightScale 2016

The cloud era keeps turning a familiar paradox: organizations say security matters most, yet the single biggest obstacle to getting cloud projects done is often the people — or more precisely, the lack of expertise to run them. New and old data converge on that inconvenient truth: in the 2016 RightScale State of the Cloud survey, respondents ranked “lack of resources and expertise” above security as the top cloud challenge — a finding picked up by BetaNews and reinforced by other coverage at the time. This feature traces that turning point, explains why skills and organizational capability often trump pure technical risk, assesses how the problem has evolved since RightScale’s 2016 snapshot, and lays out practical, prioritized actions for Windows administrators, IT leaders, and cloud teams who must deliver secure, resilient cloud services while short on specialist staff. The piece cross-checks the original claim with multiple independent sources, highlights what remains confidently verifiable, and flags where data or context requires cautious interpretation.

---

Background / Overview​

The RightScale 2016 State of the Cloud report showed a notable shift in practitioner priorities: 32% of those surveyed identified a lack of resources or expertise as their biggest cloud challenge, while 29% cited security as the top concern. That switch — expertise overtaking security — was covered widely in the tech press and remains a widely quoted moment in cloud adoption discourse. RightScale’s report drew on responses from roughly 1,600 technical professionals across organizations of different sizes and maturity levels, and most reporting outlets emphasized the raw numbers while also acknowledging variation across enterprise maturity and use cases. Later summaries and follow-on RightScale reports showed the percentages ebbing and flowing as organizations matured, but the structural idea stayed consistent: cloud projects fail or stall less because of a missing technical patch and more because organizations lack the people, processes, and platform discipline to operate distributed, elastic infrastructure at scale. Two points need to be front-loaded:

• The RightScale finding is a snapshot from 2016. It captured an important moment in cloud adoption; it does not, by itself, describe 2026 realities. Still, the underlying dynamic — a persistent cloud skills gap that causes security and operational friction — remains well-documented in more recent industry studies.
• The term “expertise” is broad. It spans cloud architecture, security engineering, cost optimization, identity governance, platform engineering, and operational runbooks. Shortfalls in any of these areas can manifest as security incidents, cost overruns, or stalled migrations.

---

What RightScale and early reporting actually said​

The headline numbers​

RightScale’s 2016 press materials and contemporaneous reporting summarized the key finding succinctly: 32% of surveyed technical professionals listed a lack of resources/expertise as the top cloud challenge, while 29% listed security. BetaNews ran a straightforward story repeating those numbers; Computerworld, CIO Dive, Forbes and others ran parallel pieces that added context about hybrid-cloud adoption, AWS leadership, and rising private-cloud use.

Who answered the survey​

The dataset was composed of technical professionals — a mix of practitioners across enterprise and small/medium organizations. Coverage at the time noted that the finding varied by maturity: cloud beginners and teams in smaller organizations still ranked security higher in many subgroups, while more mature central IT teams emphasized staffing and governance overheads. That nuance matters: a single aggregate number masks heterogeneity across maturity, industry, and the kinds of cloud workloads being moved.

Why the finding resonated​

Practitioners and analysts recognized an intuitive truth: cloud technologies themselves are not the main blocker; it’s the set of skills, organizational design, and governance practices required to use those technologies at scale. In effect, the industry had a supply-side shortage of people who could design secure landing zones, automate identity lifecycle, manage entitlements, and drive cost-aware architecture — skills that directly reduce security exposure when applied correctly.

---

Why expertise overtakes security as a practical barrier​

Security remains a top concern in principle. But expertise becomes the bottleneck for four intertwined reasons:

• Complexity multiplies failure modes. Modern cloud environments are multi-layered: identity and access management (IAM), infrastructure-as-code, container orchestration, managed PaaS services, CI/CD pipelines, and third-party connectors. Each layer introduces configuration options and potential for misconfigurations that require human judgment and systems knowledge to correct.
• Tool sprawl and fractured ownership. Organizations accumulate cloud services and multiple security tools. Without platform-level ownership and experienced staff to integrate tools, alerts become noise and guardrails are inconsistently applied.
• Skills are specialized and scarce. Cloud security demands a mix of software engineering, security operations, and platform engineering — profiles that are hard to hire and expensive to retain. Recent surveys continue to flag skills shortage as a primary pain point across sectors.
• Operational debt and legacy constraints. Teams must balance day‑to‑day operations and migration projects. When personnel are thin, defensive tasks — rotating credentials, auditing IAM roles, enforcing least privilege — slip, creating security gaps even where tools exist.

These mechanics explain why RightScale’s respondents could nominally rank security as a top concern, yet in practice treat staffing and expertise shortfalls as the more immediate impediment to resolving security and other cloud problems.

---

How the problem has evolved since 2016​

RightScale’s 2016 snapshot captured an early-stage inflection. The industry has changed, but not in a way that eliminates the skill shortage; rather, the demand for specialized roles has grown and diversified.

Evidence from modern surveys​

• Platform and operations surveys continue to show skills and governance as top barriers to cloud ROI and security. HashiCorp’s 2024/2025 State of Cloud Strategy research and similar studies highlight that many organizations still identify a shortage of staff expertise as a core contributor to cloud waste and misconfiguration.
• Cyber skills reports from vendors and industry bodies (Fortinet, ISC2, Cybersecurity Insiders) emphasize that the cybersecurity talent gap remains acute, and that lack of expertise directly correlates to breach incidence and delayed or incomplete security controls. These studies show the skills gap has become more complex — now blending cloud-native controls, identity governance, and AI-era detection — and the cost of not closing the gap is rising.
• Operational research also shows the emergence of platform teams and the consolidation movement toward Cloud Native Application Protection Platforms (CNAPP) as pragmatic responses to the skills shortage: centralize expertise, codify best practices, and automate guardrails so application teams don’t need deep cloud security credentials to deploy safely. This is an operational architecture response rather than a purely hiring fix.

What changed technologically​

• Providers added managed services, better IAM primitives, and tools for posture management. That should reduce friction — but these tools require someone who understands their configuration and the organizational lifecycle to operate them effectively.
• Security automation, policy-as-code, and infrastructure-as-code emerged as standard patterns. They are powerful, but they shift the skill demand to engineering skills (writing and testing policy code) rather than to purely manual operations.
• AI and agentic automation are introducing both new efficiencies and new attack surfaces; organizations need people who know model governance and data hygiene in addition to traditional cloud security.

---

Critical analysis: strengths, blind spots, and risks in the “expertise-first” framing​

Strengths: why the RightScale claim is still useful​

• It reframes resource allocation: simply buying security tools is not enough. You must invest in people, processes, and platform architecture.
• It motivates platform engineering: centralizing cloud expertise into platform teams that build reusable pipelines and guardrails reduces dependence on unlimited hiring and raises the baseline for security.
• It recognizes operational reality: many breaches and outages are due to misconfiguration and poor governance rather than exotic zero-days.

Blind spots and caveats​

• Survey limitations and selection bias. RightScale’s 2016 sample (roughly 1,600 technical respondents) is informative but not globally representative of all sectors or geographies. The relative ranking of concerns depends on the respondent mix (enterprises vs. SMBs, central IT vs. business-unit developers). Contemporary reporting of the survey acknowledged that heterogeneity.
• Time-bound context. The 32% vs 29% split is a historical fact for 2016. It should not be treated as an eternal law. The underlying dynamic — skills limiting cloud outcomes — remains relevant, but specific percentages and priorities shift as tech and organizational practices evolve. Treat the RightScale finding as directional and historically significant, not as the definitive current-state metric.
• Overemphasizing hiring exclusively is risky. Hiring alone won’t scale. The systemic failure mode is assuming more boots on the ground is the only solution; in practice, governance, platform design, automation, and third-party partnerships often produce faster, more sustainable risk reduction.

Risks organizations face when they ignore expertise shortfalls​

• Misconfigurations become persistent attack surfaces. Identity and entitlement errors, public storage misconfigurations, and poorly scoped cloud functions are frequent root causes in breaches.
• Cost inefficiency and business inertia. Lack of expertise creates cloud waste and delays innovation, which in turn increases pressure to cut corners or rush migrations.
• Vendor lock-in and brittle operational models. Without platform-level design, silos form and each team reinvents patterns — increasing both cost and fragility.

---

Practical playbook for Windows admins, IT leaders, and cloud teams​

The gap between risk and capability is bridgeable. The following is a prioritized, pragmatic roadmap that balances hiring, tooling, and organizational change.

1. Start with an inventory and risk map (hours-to-weeks)​

• Inventory your cloud assets, identities, data classifications, and critical business flows. Map what services and accounts have access to what data.
• Create a prioritized risk map that links misconfiguration or identity risks to the most sensitive assets. Focus first on crown-jewel systems, Extranets, production data stores, and identity providers.

Why it matters: you can't fix what you can't see. A focused inventory transforms vague “lack of expertise” into explicit remediation tasks.

2. Consolidate responsibilities into a small platform engineering team (weeks-to-months)​

• Form a cloud platform team that owns landing zones, templates, policy-as-code, and shared pipelines.
• Give them a mandate to reduce cognitive friction: create pre-approved, secure blueprints (IaC templates) that developers can use safely.

Why it matters: platform teams are force multipliers. They let a small group of experts scale best practices across many product teams.

3. Automate guardrails and enforce least privilege (weeks-to-months)​

• Implement automated checks in CI/CD: policy enforcement, secret scanning, and static analysis on IaC.
• Adopt Cloud Infrastructure Entitlement Management (CIEM) principles to detect excessive permissions and enforce least privilege.
• Use short-lived credentials and identity federation; avoid long-lived keys in code and artifacts.

Why it matters: automation reduces the need for manual expertise at every deployment and directly prevents common configuration errors.

4. Integrate posture management and runtime detection (1–3 months)​

• Deploy Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities (or adopt a CNAPP) to get unified visibility.
• Prioritize alerts that map to your risk map. Tune noise reduction so analysts focus on high-confidence, high-impact events.

Why it matters: detection and quick response compensate for imperfect prevention and can dramatically reduce breach impact.

5. Invest in role-based upskilling and apprenticeship (ongoing)​

• Create short, goal-driven training paths: platform engineer, cloud security engineer, and cloud cost engineer.
• Run internal apprenticeships: pair junior staff with platform team members for 8–12 weeks with concrete project outcomes.
• Require hands-on labs and test environments rather than only certification checkboxes.

Why it matters: certifications help, but practical, project-based skill transfer produces durable operational competence.

6. Use third parties for capability acceleration (immediate-to-short-term)​

• For urgent gaps (e.g., migrating Exchange, implementing SSO across tenants), engage trusted integrators or managed service providers on fixed-term contracts with knowledge transfer clauses.
• Use MSSP/CSP partnerships to outsource 24/7 detection while building internal capabilities.

Why it matters: properly scoped external help buys time and reduces operational risk while you build internal capability.

7. Measure outcomes, not inputs (quarterly)​

• Track operational KPIs: mean time to remediate (MTTR) for critical misconfigurations, percentage of workloads deployed via approved templates, and number of high-privilege identities audited per quarter.
• Tie security posture and deployment velocity to business KPIs so investments in expertise map to measurable improvements.

Why it matters: accountability drives continuous improvement and helps justify further staffing and tooling investments.

---

Short checklist: immediate, high-impact actions (for teams with limited time)​

• Rotate all long-lived keys and enable federated authentication and conditional access.
• Implement mandatory MFA for administrative and developer accounts.
• Scan codebases and CI artifacts for secrets; block deployments that contain them.
• Define and enforce a tagging strategy for cost and security telemetry.
• Create a minimal, secure landing-zone template for new projects and mandate its use.

These five moves are high-leverage: they reduce attack surface, contain blast radius, and create operational consistency.

---

The vendor and product angle: what tools help — and what they can’t replace​

• Managed identity services, automated posture scanners, CNAPPs, CIEM, and CWPPs are now mainstream. They raise the baseline for secure cloud operation and can reduce the load on scarce senior engineers. However, these tools require correct design and ongoing governance; they are not magical substitutes for people who understand context, exceptions, and business risk.
• Platform engineering is as much about culture as it is about tech. The most successful organizations pair these tools with cross-functional governance and documented runbooks.

---

Flagging unverifiable or time-sensitive claims​

• The specific RightScale percentages (32% vs 29%) are verifiable for the 2016 report and are reliably reported in the contemporary press. However, using these figures to make claims about present-day priorities would be misleading; they are a historical data point, not a live KPI. Treat them as a provocation — a useful story with enduring implications — rather than as the final word on today’s top challenges.
• Modern survey percentages (e.g., “78% say skills are a top concern”) vary by survey vendor, respondent makeup, and year. Cross-survey comparison requires attention to methodology. Where an organization wants to rely on a number for budgeting or policy, it should examine underlying methodology (sample size, respondent role, sector distribution) before making decisions. Recent vendor reports (Fortinet, ISC2, HashiCorp) show the skills gap remains real, but exact percentages differ.

---

Conclusion: treat expertise as strategic infrastructure​

The BetaNews headline — that lack of expertise overtook security as the top cloud challenge — reflected a real and meaningful shift captured by RightScale’s 2016 survey and noted across tech reporting. The enduring lesson is straightforward: security cannot be outsourced entirely to tools or to the cloud provider; it requires organizational capability. Investing in platform engineering, role-based training, policy-as-code, and automated guardrails is now essential infrastructure work — not optional training.
Organizations that treat cloud expertise as a strategic asset — one that can be multiplied by automation, codified through templates, and reinforced by focused hiring and partner engagements — will both secure their cloud footprints and unlock the speed and agility the cloud promises. Ignoring the skills dimension risks turning managed cloud services into unmanaged liability. The remedy is practical, repeatable, and within reach: focus inventory, centralize platform responsibilities, automate enforcement, and measure outcomes. Those steps close the distance between knowing security matters and being able to deliver it at cloud speed.

---

Source: BetaNews https://betanews.com/article/lack-of-expertise-passes-security-as-top-cloud-challenge/]