For a growing number of organizations, IT environments encompass a blend of public cloud services, private clouds, and on-premises infrastructure\u2014with the latter becoming an ever-smaller portion of the mix.The past two years have seen a major uptick in the use of cloud services, and the trend shows no signs of slowing. An April 2021 report by research firm Gartner forecast that worldwide spending on public cloud services will grow 23% this year.Tech Spotlight: Hybrid CloudHybrid cloud hurdles \u2014 and how to address them (CIO)Hybrid-cloud demands new tools for performance monitoring (Network World)5 top hybrid cloud security challenges (CSO)16 irresistible cloud innovations (InfoWorld)How to choose a SaaS management platform (Computerworld)Emerging technologies\u00a0such as containerization, virtualization, and edgecomputing are becoming more mainstream and driving cloud spending, the report said. Software as a service (SaaS) remains the largest market segment.Rather than deploying one type of cloud service, companies are opting for a mix to meet their business goals. The hybrid cloud model can deliver unprecedented flexibility for businesses. They can shift capacity up or down as needed and move data and workloads to and from any number of cloud services. Hybrid cloud also presents cybersecurity risks that if left unaddressed can lead to significant losses.Here are the five top challenges security leaders and teams face with the hybrid cloud model and how they can address them.1. Increased complexity, decreased visibilityAs companies deploy more public cloud services and add private cloud capabilities, their IT environments are becoming much more complex from a management and security standpoint. Without taking steps to monitor usage of the services, they lose visibility of what\u2019s going on in this environment.\u201cA hybrid environment naturally introduces more complexity; there are just so many more \u2018windows and doors\u2019 to lock, and more security maintenance\u2014patching, etc.\u2014to perform,\u201d says Chris Kanaracus, research director for dedicated and hybrid cloud infrastructure\/services at research firm International Data Corp. (IDC). \u201cWe have seen so many high-profile media stories about data leaks caused by human error [such as] misconfigured storage buckets on public clouds.\u201dThe Cloud Security Alliance (CSA), an organization that defines standards, certifications, and best practices to help ensure a secure cloud computing environment, cited misconfiguration and inadequate change control, and limited cloud usage visibility as being among the top threats to cloud computing in 2020.The preponderance of cloud services will often require a change in how organizations approach security. "While choosing a hybrid cloud environment can offer organizations choice and flexibility, it also means IT leaders need to re-evaluate their security practices and consider how they may need to be adapted,\u201d says Mandy Andress, the CISO of Elastic, a provider of online search products. \u201cThe saying, \u2018You can't secure what you can't see,\u2019 is especially true in hybrid cloud architectures. \u201cMixing public and private clouds or infrastructure can increase complexity and heighten an organization's risk, making visibility and control paramount to securing a distributed system.\u201d2. Knowledge and skills gapThe severe shortage of cybersecurity skills has been well documented. Many organizations are struggling to find people to fill a variety of roles, but identifying and hiring security professionals who also understand the cloud takes the challenge to a whole other level. This cloud security knowledge gap can leave enterprises exposed to risk, and they need to find ways to close the gap before it\u2019s too late.One way is to offer internal and external training. It takes a concerted effort between business lines, cybersecurity leadership and team, training, and human resources to develop a curriculum and multi-modal training paths for continual skills growth to support a complex hybrid cloud environment, says Vikram Kunchala,\u00a0risk and financial advisory\u00a0cyber cloud leader and principal at consulting firm Deloitte.\u201cIt is vital to note that most non-technology organizations and non-cloud service providers are competing for the same cloud talent pool,\u201d Kunchala says. \u201cAs such, hiring is a challenge and [companies] should not solely rely on it as an option. Developing training programs to up-skill\/cross-skill current employees can help in this area.\u201dStrong governance is another key component in a hybrid cloud environment, Kunchala says. Having a well-defined responsibility matrix and operational models can alleviate concerns and enable effective governance. \u201cMonitoring metrics provide visibility into the efficacy of various security teams and effectiveness of controls implemented,\u201d he says.CISOs and other security leaders \u201cneed to consider the efficiency of their people resources and skills usage,\u201d Andress says. \u201cIn a hybrid cloud environment, security teams might need to learn the security functions of two [or more] cloud services.\u201d3. Shifting security responsibilitiesThe responsibility of putting in place controls around perimeter security, infrastructure, and virtualization incrementally shifts to cloud providers in a public cloud ecosystem, so understanding the changing security shared responsibility model is vital, Kunchala\u00a0says. \u201cOrganizations attempt to extend private cloud security controls and technology stack to public clouds, which does not work in some cases,\u201d he says. \u201cNot having a clearly defined [responsibility assignment matrix] and\/or operating model in a hybrid cloud ecosystem leaves room for unmitigated threats and unaddressed capabilities that prevent the organization from scaling and meeting business goals.\u201dDespite the importance of knowing and following the shared responsibility model that comes with the use of cloud services, it\u2019s not something all companies are doing. \u201cThe shared responsibility model used by public cloud companies is something many enterprises still grapple with keeping top of mind,\u201d Kanaracus says.4. Network protection mismatchesNetwork security is a key area where organizations continue to be challenged, as existing vendor tools supporting private cloud might not be suitable for public clouds, Kunchala says. \u201cOrganizations leverage containers for seamless transition and management across hybrid cloud, and not understanding the nuances like service mesh and API security [can] lead to potential compromise of containers and further exploitation.\u201dMost public cloud-based security tool vendors support private cloud environments, Kunchala says. \u201cBut traditional vendor tools purpose built for on-premises or private cloud may not extend or provide full features for public cloud,\u201d he says. \u201cVendor analysis is key and should be performed once all requirements and use cases have been identified.\u201d5. Dispersed logging and monitoring capabilitiesIn a hybrid cloud environment, log sources are spread across on-premises systems, public cloud systems, vendor tools, and cloud-native services, Kunchala says. \u201cIt is critical to identify log telemetry [and] build metrics for monitoring.\u201d Organizations need key performance indicators (KPIs) for operational- and functional-level metrics and key risk indicators (KRIs) for executive reporting, he says.\u201cHowever, maturation of logging and monitoring capabilities is a one- to two-year journey, which takes a number of steps and tools for processing logs and correlating across multiple sources to arrive at defined metrics,\u201d Kunchala says. The end goal is to develop custom reporting dashboards to cater to executives, to help them understand the residual risk and impact of cloud services, he says. Meanwhile, operational teams will gain full visibility into advanced persistent threats across the landscape.