CISO Survey Surfaces Shift in Application Security Responsibilities
A global survey of 200 CISOs suggests responsibility for application security is shifting more toward the teams building and deploying software.
Conducted by Global Surveyz on behalf of Checkmarx, a provider of security tools for application development teams, the survey of CISOs at organizations with annual revenues exceeding $750 million that have 180 or more application developers, the survey finds responsibility for application security is becoming increasingly decentralized, with 43% having moved oversight of this responsibility to the teams build products.
Avi Hein, senior product marketing manager for Checkmarx, said that the shift suggests that more cybersecurity experts are being embedded within product development teams to work more closely with application development teams that report directly into product management teams rather than a CISO.
Regardless of who assumes responsibility for application security, well over half the CISOs surveyed (56%) said most of their development teams are fully integrated into application security programs, with 41% soliciting feedback from developers to improve security processes. Well over a third (37%) have also appointed security champions within development teams (37%), while 34% are aligning priorities with research and development leadership from the top down.
Overall, 37% of respondents claim their organization has adopted a “security-first” development culture. However, while more organizations are clearly aware of the need to build and deploy more secure applications, only 39% of business operations run on secured applications. A full 70% of respondents report that half or more of their applications lack robust security measures. On the plus side, 49% of CISOs say buyers now factor application security into purchasing decisions, with 24% reporting application security is always a factor in every decision.
Additionally, more CISOs are prioritizing business initiatives (34%), followed by security architecture (31%), application development security (30%), artificial intelligence (AI) governance (29%) versus being primarily focused on tactical issues such as threat detection (24%) and identity management (15%).
Unfortunately, while 62% of CISOs report application security metrics to the board of directors, most are still focused solely on vulnerability counts, said Hein. Only 25% are tying risks to business outcomes such as brand reputation or regulatory exposure, which means cybersecurity leaders are still not speaking in terms that business leaders readily understand, he added.
In general, progress when it comes to application security is being made, but there is still plenty of room for improvement, said Hein. CISOs need to make it a point to be more actively engaged with product development teams if they want to change the culture of an organization, he added. In fact, instead of worrying so much about who has authority and control over the budget for application security, there is a clear opportunity to focus on empowering product teams and the platform engineering teams that support them, said Hein. That approach should reduce the overall level of friction that currently exists between many cybersecurity and application development teams, he noted.
After all, the goal is to build and deploy more secure applications in a way that should, hopefully, reduce the total number of incidents that CISOs might ultimately need to manage later on.
