The holiday season is upon us; are you buying all your gifts at the mall? Probably not. Many, if not most, of you are going to research, purchase and pay for all your holiday gifts online this year. Digitization is everywhere – changing every interaction and transaction. But it seems like breaches are everywhere as well – affecting all industries in all geographies. Are business leaders simply unable to keep up with the pace of the digital transformation, or are they unaware of the security implications of their digital initiatives? Veracode set out to answer these questions in our Securing the Digital Economy survey report. We surveyed more than 1,000 business leaders across the UK, US and Germany about their companies’ digital transformation initiatives and understanding of cybersecurity in an attempt to get to the bottom of the seeming disconnect between digital innovation and digital risk. Here’s what we found:
Marc Andreesen was right back in 2011; software is taking over. Nearly a third (29 percent) of our survey respondents indicated that they are actively pursuing digital transformation projects. A further 29 percent stated that they are either planning for or considering digital transformation projects for the future. And, one in five business leaders indicated that their software budget had increased 50 percent or more over the past three years.
Verizon recently reported that 40 percent of breaches are caused by web apps, the largest cause by far. So, increasing your software budget by 50 percent should lead to a corresponding application security budget increase, right? Wrong. Most of our survey respondents aren’t even clear on software security risks, let alone addressing them.
In fact, only half of business leaders surveyed fully understand the risk that vulnerable software as a whole poses to their business. And less than a third (32 percent) of business leaders understand the risk that vulnerable open source components, a key feature of most applications, pose to their organization. This is especially disturbing considering that our most recent State of Software Security report, based on application security testing data from scans conducted by our base of more than 1,600 customers, found that 88 percent of Java applications have at least one component-based vulnerability.
Finally, a quarter of all business leaders in the UK and US report not understanding any of these common cybersecurity threats:
Among organizations that reported that cyberattacks on other companies prompted them to rethink their own approach to cybersecurity, nearly half (47 percent) said their organization discussed updating outdated operating systems and conducting more regular scanning for vulnerabilities in software. This is especially good news considering that our recent State of Software Security report also found that organizations which tested their apps frequently with sandbox scanning (developer-initiated scans early in the dev process) had a 48 percent better fix rate than those doing policy-only scanning (security-initiated scans late in the dev process).
Further, a third of this group indicated that the plan to update outdated operating systems and instigate more regular scanning for vulnerabilities in software has either already been implemented or will commence in the next 12 months (34 percent and 37 percent).
On the other hand, there are many more organizations that are not so security-savvy. Of those we surveyed, one-third of British and German business leaders reported that their businesses do not plan to take any steps to improve overall cybersecurity in the next 12 months. In the US, this figure is lower at 24 percent. This begs the question, are companies not improving their cybersecurity, or are the business leaders not aware of cybersecurity efforts?
What’s a security pro to do? Nearly half of the business leaders we surveyed stated that none of the high-profile cyberattacks we highlighted had caused their organizations to rethink their approach to cybersecurity.
How do you get executives to pay attention to cybersecurity when the headlines about breaches don’t do the trick?
Apparently you need to hit them where it hurts the most – their own personal reputation and livelihood. Over a third of business leaders (38 percent) reported that giving senior executives examples of the personal brand damage that can come as a result of a data breach is an effective strategy for engaging them with cybersecurity.
Highlighting the threat to executive jobs was also a commonly shared suggestion, with 35 percent of business leaders across all regions suggesting this would get board members sitting up and listening.
Find out more about what business leaders think and know about cybersecurity. Get the full survey results and analysis in our Securing the Digital Economy report.