API security has emerged as a critical concern in cloud-native environments, with attacks skyrocketing by 3,000% from 2023 to 2024. As organizations increasingly rely on cloud services, APIs serve as both the foundation of modern applications and a major attack vector. The shift of security responsibility from IT teams to cloud providers introduces fresh challenges, demanding stronger monitoring, oversight, and proactive strategies to mitigate risks. Yet, cultural gaps between IT security and DevOps continue to hinder security integration, making a DevSecOps approach essential.

Doug Dooley, COO of Data Theorem, discusses these evolving threats, emphasizing the growing need for continuous API security in cloud-native environments. Data Theorem focuses on securing APIs, mobile, web, cloud, and code, working with companies that rely on cloud-first architectures. With APIs acting as the “network nervous system” of cloud-native applications, Dooley highlights the importance of real-time visibility and automated security enforcement to prevent emerging threats.

Security in the cloud operates under a shared responsibility model, where cloud providers and businesses must collaborate to ensure resilience. Cloud outages can potentially disrupt entire industries, making clear lines of accountability essential. To mitigate risks, Dooley underscores the need for strong configuration management and security posture monitoring, particularly in multi-cloud environments where misconfigurations remain a major risk. As cloud complexity grows, security tooling must evolve to provide real-time visibility and automation.

API security, in particular, is a growing priority due to the proliferation of unsecured and ungoverned APIs. From an attacker’s perspective, APIs present an easy way to extract and monetize data. “When you look at it from a hacker’s perspective, the current state of the union on APIs is the gift that keeps on giving to attackers, right?” Dooley states. The defensive response needs to go beyond infrastructure guardrails, as breaches lead to massive financial and reputational damage. API security is no longer just an IT issue, but a board-level concern, as organizations recognize the value of protecting proprietary data.

Traditional security methods struggle to keep up with the cloud-native shift. While software updates were once infrequent and security could be retrofitted later, today’s cloud environments demand continuous oversight and real-time security adjustments. However, APIs are often left unchecked and ungoverned, creating an urgent need for better monitoring and enforcement. Dooley emphasizes that security tooling must evolve alongside these rapid changes to ensure that APIs remain secure as they scale.

The role of AI and machine learning in security remains a topic of debate. While these technologies enhance security through improved threat detection and cost reduction, Dooley argues that they cannot yet replace human decision-making. Effective AI-driven security requires large datasets and well-defined outcomes, otherwise, there are risks of AI generating inaccurate or even harmful results. AI is a tool that assists security teams rather than a revolutionary replacement for existing practices.

One of the most significant gaps in cloud security is culture. DevOps teams prioritize speed, uptime, and innovation, while security teams focus on risk mitigation and regulatory compliance. Dooley believes that forcing developers to adopt security-focused mindsets rarely works. Instead, security professionals must adopt a developer’s perspective, embedding security within the development process rather than enforcing it as an afterthought. Dooley highlights Netflix’s efforts to integrate security into agile development as an example of how cultural alignment can enhance security without stifling innovation.

By adapting security tooling to modern cloud environments, fostering DevSecOps collaboration, and integrating AI-powered insights where appropriate, Data Theorem is working to close the API security gap. Data Theorem continues to evolve alongside the growing security challenges of the cloud era.

Guest: Doug Dooley
Company: Data Theorem
Show: CISO Insights

This summary was written by Emily Nicholls.