Our new SoSS Feature Supplement report found that 62% of vendor applications fail to comply with enterprise security policies upon first submission. This stat, more than any other in the report, demonstrates the need for an executive level mandate to secure the software supply chain.
It means that if all of the stars and planets align and hundreds of applications from your supply chain are independently tested over the next six months, 62% of the applications are likely to fail your enterprise security policy. What happens next with those non-compliant applications depends on the enterprise mandate.
If there are no consequences for failing to comply, then software vendors have no incentive to remediate found security flaws. If the non-compliance escalation procedures are not clear, then software vendors will find creative ways to avoid the remediation effort. Without vendor remediation your enterprise will continue to deploy dangerous security vulnerabilities alongside the innovative software functionality you needs to compete.
CEO mandates have the power to drive collaboration across organizations that have opposing performance pressures – business units that need more technology faster, IT organizations that need to lower the cost of innovation, security teams that need more time for supply chain due diligence. That collaboration is necessary for your enterprise to develop, and stick with, meaningful non-compliance escalation procedures that can play a significant role in securing your software supply chain.