New research has found that communication gaps between IT security teams and senior corporate leadership could lead to serious gaps in application security. According to a survey by Dynatrace, 87% of CISOs polled said that security in this area needed to be improved, while three-quarters also reported that commonly used security tools are failing to generate the kinds of insights into company-wide cybersecurity demanded by boardrooms.
“Many CISOs are struggling to drive alignment between security teams and senior executives because they’re unable to elevate the conversation from bits and bytes to specific business risks,” said Bernd Greifeneder, Dynatrace’s chief technology officer. “CISOs urgently need to find a way to overcome this barrier and create a culture of shared responsibility for cybersecurity. This will be critical to improving their ability to respond effectively to security incidents and minimize their risk exposure.”
Communication gaps worsening application security risks
A common complaint among senior leaders was that security teams often explained threats to the company in overly technical terms without touching on how these risks might impact the wider business. For their part, 77% of CISOs polled complained that CEOs and boards concentrated too much on the ability of their company to react to security incidents after they had happened, instead of investing proactively to mitigate the risk of such crises occurring in the first place. 83% also said that C-suite leaders needed to improve their understanding of the wider security posture of their company.
This is especially true of application security risk, said CISOs, with 82% concluding that visibility urgently needed to be increased into this area of vulnerability so that senior leaders could make more informed decisions about how to shore up corporate cyber defences. Even so, only half of CISOs reported incorporating third-party software bills of materials (SBOMs) into their firm’s risk management practices, while only 20% said that third-party SBOMs were actually providing those insights.
AI cybersecurity threat looming for many CISOs
This factor is especially worrying to CISOs with the advent of generative AI, said Dynatrace, with 52% of those surveyed saying they were concerned that future models afford cybercriminals new opportunities to find and exploit vulnerabilities more quickly. 83%, meanwhile, reported that DevSecOps automation would likely prove invaluable in managing this threat before the arrival of more advanced methods, though only 11% said that their firm had mature versions of those practices in place – a figure that dips to 8% among UK CISOs.
“On the one hand, there’s a greater risk of developers introducing vulnerabilities through AI-generated code that has not been adequately tested, and on the other, cybercriminals can develop more automated and sophisticated attacks to exploit them,” said Greifeneder. “Adding further pain, organisations must also comply with emerging regulations such as the SEC mandate, which requires them to identify and report on the impact of attacks within four days. Organizations urgently need to modernize their security tools and practices to protect their applications and data from modern, advanced cyber threats.”