CISOs acknowledge that the complexity of siled teams, point solutions, and cloud ecosystems makes it more likely that software vulnerabilities will make it into production.
Dynatrace, an observability specialist, surveyed 1,300 global CISOs from large organizations with 1,000+ employees to find out 2023 Global CISO Report.
More than two-thirds (68%) of respondents said vulnerability management is more challenging due to the complexity of software supply chains and cloud ecosystems, and three-quarters (75%) said it was siloed. claimed that the team and DevSecOps point solution represented a significant vulnerability. is missed.
Prioritization and visibility are two key challenges. Only 50% of CISOs are fully confident that their software is fully tested for vulnerabilities before going live, and 77% are unaware of the risks these bugs pose to their environment It is difficult to determine which ones to fix.
For example, more than half (58%) of vulnerability alerts flagged as Critical mean they are false positives that are not really important in production and just waste development time.
For more information on cloud security challenges, see 6 days to resolve cloud security alerts.
According to Dynatrace, each development and app security team member spends an average of 11 hours, or 28% of their time per week, on vulnerability management tasks that can be automated.
The majority (81%) of CISOs surveyed for this report argued that effective DevSecOps processes help reverse this trend and stop vulnerabilities before they reach production. Yet only 12% claimed to have mature DevSecOps capabilities.
Dynatrace CTO Bernd Greifeneder argued that organizations struggle to balance the need for faster innovation with governance and safety management.
“The increasing complexity of the software supply chain and cloud-native technology stack that provides the foundation for digital innovation allows us to quickly identify, assess and prioritize response efforts as new vulnerabilities emerge. It’s getting harder,” he added.
“These tasks have outgrown the ability of humans to manage them. Development, security, and IT teams are finding that in today’s dynamic digital world, current vulnerability management controls are no longer adequate and business acceptable. I’m starting to realize that I’m putting myself at risk of not being able to.”
