From Confidence to Competence: The Reality of Secrets Management
Our recently published Voice of Practitioners report offers a comprehensive look into the state of secrets management across the globe. To explore its key findings and discuss best practices, GitGuardian and CyberArk brought together a panel of security experts from across the industry.
In this blog, we present their insights on the most pressing challenges in secrets management today β from the substantial gap between perceived and actual security postures to practical solutions for improving remediation times, clarifying organizational responsibilities, and addressing emerging AI-related concerns. Their real-world perspectives provide guidance for organizations looking to transform their approach to protecting sensitive credentials.
The Confidence Paradox
Perhaps the most striking revelation from the webinar was what could be called the "confidence paradox." While 75% of organizations expressed strong confidence in their secrets management capabilities, the reality on the ground tells a different story β only 44% of developers actually follow best practices according to the survey.
This disconnect creates a dangerous scenario where organizations believe they're more secure than they truly are β a perfect recipe for breaches and compromises.
The Remediation Time Crisis
When secrets leak, time is of the essence. Yet according to the report, the average time to remediate leaked secrets stands at a concerning 27 days. For security professionals, this statistic is alarming.
Grace Law from Manulife provided valuable perspective from her experience in application security.
This fragmented ownership significantly slows down the remediation process.When no single team owns the process completely, the back-and-forth coordination becomes a major obstacle to solving the secret sprawl problem effectively.
The Investment Divide
One of the more intriguing findings was the significant disparity in investment between regions. US companies spend almost twice as much on secrets management compared to their French counterparts β 40.8% versus 25.2% of security budgets.
The panel also noted that stricter compliance requirements in the US tend to drive higher investment in security infrastructure.
The Challenge of Scale
As organizations grow, so do their secrets management challenges. The survey found that larger organizations (with 100-499 developers) show more confidence in their abilities, with confidence plateauing at around 80% beyond that size.
However, scale also brings complexity. Organizations reported using an average of six different secrets managers, creating considerable challenges for maintaining consistent security controls.
The AI Evolution
The webinar also addressed emerging concerns around AI coding assistants and supply chain security. A significant 43% of respondents worry about AI reproducing sensitive patterns, while 32% identified hardcoded secrets as a key risk point in the software supply chain.
She emphasized that while AI can't replace good security habits, it's becoming essential for managing the overwhelming volume of security data and alerts that no human team could process manually.
The Path Forward
So what's the solution to these complex challenges? The experts emphasized several key strategies.
Chris Smith focused on fundamentals: "The basics still matter most β avoid hardcoding secrets and implement consistent rotation policies. Organizations need developer-friendly frameworks that make secure authentication practices easier than taking shortcuts."
Grace stressed the importance of a developer-centric approach: "Security solutions must consider the developer experience. If security tools create friction, developers will find workarounds. We need to build security paths that are easier to follow than to circumvent."
Thomas from GitGuardian used a memorable comparison: "Good security practices should be as automatic as fastening your seatbelt in a car β a simple habit that protects you when things go wrong."
Conclusion
Organizations need to address the fundamental gaps in their approaches to secrets management - from lengthy remediation times to siloed responsibilities, from tool proliferation to developer experience. By focusing on both technical solutions and cultural changes, companies can move from mere confidence to true competence in protecting their most sensitive credentials.