CISOs take the back seat as dev teams claim responsibility for application security
Application security is becoming an increasingly important factor in the purchasing decisions of software companies, with responsibility shifting towards development teams.
According to findings from Checkmarx’ annual report, 49% of chief information security officers (CISOs) from a range of industries and regions said buyers regularly factor it in, with a quarter saying that application security is always a factor in those decisions.
This is predominantly the case in Europe, where regulatory frameworks like DORA led 58% of respondents to say that security is always a factor, compared with a third in the Asia Pacific region and only 8% in North America.
In nearly half of software-based product companies, security oversight has moved outside the CISO’s office entirely, the study found.
Engineering teams are increasingly responsible for ensuring secure, scalable delivery, while development teams are taking over AppSec decisions and budgets to embed security earlier and more efficiently in the development process.
“We’re witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue,” said Checkmarx chief product officer Jonathan Rende.
“As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track.”
However, the report warned this shift in responsibility is leading to gaps in security coverage, with uneven protection across applications and fragmented tooling leading to blind spots.
Only four-in-ten business operations run on secured applications, and seven-in-ten organizations said that at least half of their applications lack robust security measures.
The good news is that AppSec budgets are growing, with 78% of respondents saying their budget rose last year, and four-in-ten saying the increase was ‘significant’. More than seven-in-ten reckoned their budget would increase this year, with a quarter saying the increase would be significant.
Budget increases were most frequently seen in Europe, where 56% of respondents reported significant growth, compared with roughly a third in both North America and the Asia Pacific region.
Communication barriers are causing problems
Despite positive signs with regard to budget growth and responsibility, the study did uncover problems with the way security is communicated at the executive level.
While 62% of CISOs report AppSec metrics to their board, most said they focus entirely on vulnerability counts, with only a quarter linking those risks to business outcomes like brand reputation or regulatory exposure.
Nearly one-in-five said they don’t report on application security risks at all.
As a result, the report said CISOs need to try and redefine their role through governance, rather than direct control, and foster a culture of shared responsibility by incorporating developer feedback to redefine processes.
“As security responsibility migrates toward development teams, so does the funding,” said Rende. “That’s why CISOs today need to lead with influence, creating guardrails, not roadblocks.”
MORE FROM ITPRO
TOPICS
Source link
