The gap between software creation and software security is widening, according to a software security product company, which is suggesting that a rush to innovate is outpacing the urgency to secure the process.
The “Securing the Digital Economy” report by Veracode, Inc, acquired by CA Technologies, shows investment in software and digital transformation is accelerating, with around one in five business leaders indicating that their software budget had increased 50 percent or more over the past three years to support digital transformation projects. However, that software development investment has not translated to greater security budgets or awareness of the security risks insecure software introduces: only half of those surveyed understand the risk that vulnerable software poses to their business.
As for awareness, of the 33 percent who indicated that a cyber-attack on another company had led their business to rethink its approach to cyber-security, many have either taken steps to improve their software security or plan to over the next 12 months.
More than one-third (34 percent) have or will over the next 12 months start scanning or already more regularly scan for vulnerabilities in software; while one-fifth either have or will set security thresholds for software built by third-party providers and for all commercial out-of-the-box applications (22 percent and 20 percent, respectively).
While there may be some shift in awareness, not all business leaders have woken up to the risks of the evolving cyber threat landscape, according to the firm. One-third of business leaders surveyed revealed that they plan to take no new steps to improve their organisations’ overall cyber-security in the next 12 months.
Chris Wysopal, CTO, CA Veracode said: “Digital transformation presents both massive opportunity to innovate and significant security risks, with 77 percent of applications having at least one vulnerability when first scanned, which could be exploited to inject ransomware or steal data. Many business leaders have yet to fully grasp the most common cyber threats to their business, nor are they keeping up with some of the most catastrophic cyber events of our time. We need to bridge this disconnect between business leaders and the cyber-security threat: without greater awareness of the threats and what is needed to defend against them, their company could easily be the next headline.”
While high profile breaches do not in themselves prompt great change in behaviour, when confronted with the possibility of personal accountability in the event of a breach, executives are more likely to take action. More than a third of the business leaders surveyed said the personal risk to executives outstripped compliance as a driver for board members. Articulating the potential brand damage for senior executives from a data breach and the risk to their job security was recommended by 38 percent and 35 percent of business leaders surveyed, respectively, as a way to engage a board on cyber-security, compared to just 29 percent who suggested that highlighting the potential fines of data protection regulations, like the EU-wide GDPR (general data protection regulation).
To request a copy of the report visit https://info.veracode.com/survey-report-securing-the-digital-economy.html.
