Research from an independent global survey has revealed that chief information security officers (CISOs) find it increasingly difficult to keep their software secure as their hybrid and multi-cloud environments become more complex.
The survey from Dynatrace, a leader in unified observability and security, surveyed 1,300 CISOs, including 100 respondents from Australia, in large organisations.
The survey found that security teams continue to rely on manual processes that make it easier for vulnerabilities to slip into production environments. It also found that the maturity of DevSecOps adoption is being hindered by the continued use of siloed tools for development, delivery and security tasks.
How are Australian CISOs responding
Although the survey covered a variety of nations, there are a number of findings specific to the data from Australian CISOs.
The research found that 61% of CISOs believed that vulnerability management is more difficult because their software supply chain and cloud ecosystem has increased in complexity.
However, there is also a feeling of unconfidence that software being delivered by development teams isn't being completely tested for vulnerabilities before going live in production environments, with only 55% of CISOs having that confidence.
"Organisations are struggling to balance the need for faster innovation with the governance and security controls they established to keep their services and data safe," says Bernd Greifeneder, Chief Technology Officer, Dynatrace.
When prioritising vulnerabilities, 77% of CISOs said it is a significant challenge because they don't have information about the possible risks these vulnerabilities pose to their environment.
The report also found that of vulnerability alerts that security scanners alone flag as "critical", 56% are not important in production. This is an issue as it wastes valuable development time, which is spent instead chasing down false positives.
This wasted development time is exemplified by the report, showing that, on average, 29% of development and application security team members' time is spent on vulnerability management tasks that could be automated.
"The growing complexity of software supply chains and the cloud-native technology stacks that provide the foundation for digital innovation make it increasingly difficult to quickly identify, assess, and prioritise response efforts when new vulnerabilities emerge," adds Greifeneder.
"These tasks have grown beyond human ability to manage. As such, development, security, and IT teams are finding that the vulnerability management controls they have in place are no longer adequate in today's dynamic digital world, exposing their businesses to unacceptable risk as a result."
Other findings from the Australian data
Additional findings from Dynatrace's research have a focus on DevSecOps. For example, 77% of CISOs responded that the prevalence of team siloes and point solutions throughout the DevSecOps lifecycle made it easier for vulnerabilities to slip into production.
Another 78% of CISOs said more vulnerability exploits would be seen if they couldn't make DevSecOps work more effectively. This is concerning, considering that just 6% of organisations have a mature DevSecOps culture.
As for what will be critical to the success of DevSecOps and overcoming resource challenges, 86% of CISOs responded that AI and automation would be key areas.
Respondents also said that a significant challenge to minimising risk was the time between the discovery of zero-day attacks and the ability to patch every instance, with 82% of CISOs believing this.
"Despite a widespread understanding of the many benefits of DevSecOps, most organisations remain in the early stages of adopting these practices due to siloed data that lacks context and limits analytics," continues Greifeneder.
"To overcome this, they should use solutions that converge observability and security data and are powered by trusted AI and intelligent automation. This is precisely what we architected the Dynatrace platform to do."
"As a result, our customers have reduced the time they spend identifying and prioritising vulnerabilities by up to 95 percent, helping them deliver faster, more secure innovation that keeps them at the forefront of their industries."