Communication between security teams and corporate executives structurally leaves much to be desired. This leads to a blind spot within organizations for cyber threats.
Those are the findings from research by Dynatrace. In the annual “The State of Application Security” report, 87 percent of CISOs surveyed said they struggle to get security teams and the C-suite on the same page.
For this global study, Coleman Parkes surveyed 1,300 CISOs on behalf of Dynatrace, while the company also conducted 10 interviews with CEOs and CFOs of companies with more than 1,000 employees.
Too technical language?
The disconnect is created mainly because security teams tell their stories in a too technical manner, seven in 10 of the executives surveyed feel. According to three-quarters of CISOs, the problem lies a layer deeper: the security tools themselves do not generate information that gives a meaningful insight into overall business context. Essentially, security specialists typically don’t have the software to share their findings with executives to begin with.
Dynatrace CTO Bernd Greifeneder articulates the problem as follows: “Many CISOs are struggling to drive alignment between security teams and senior executives because they’re unable to elevate the conversation from bits and bytes to specific business risks. CISOs urgently need to find a way to overcome this barrier and create a culture of shared responsibility for cybersecurity.”
AI threat
According to Greifeneder, that culture shift is much needed because “cybersecurity incidents can have devastating consequences for organizations and their customers, so the issue has rightfully become a critical board-level concern.”
A narrow majority (52 percent) of CISOs are also concerned about new cybercrime risks fueled by AI. Artificial intelligence also helps defence, as AI tools can capture more data than a human. Yet, that same percentage of CISOs suspect AI will make attack campaigns easier to scale. In addition, 45 percent are concerned about the ease with which developers will use AI assistance for their programming tasks. According to these CISOs, this could lead to more vulnerabilities.
Greifeneder notes that AI is a double-edged sword. Both security teams and cybercriminals can become more efficient with the technology, but AI-generated code introduces more vulnerabilities that these attackers can automatically scan for. “In addition, organizations must comply with new regulations such as the SEC mandate, which requires them to identify and report the impact of attacks within four days.” In short, security is becoming harder to keep up with and is more time-sensitive than ever to boot.
Complex cloud
The complexity of cloud environments is also making life more complicated than ever for security teams. Therefore, 83 percent of CISOs surveyed cited the importance of DevSecOps automation. This would address many of the vulnerabilities introduced by AI. In fact, 71 percent of CISOs feel that DevSecOps automation is critical to optimizing application security.
Does this automation provide the solution for organizations? Greifeneder believes it does. “Organizations urgently need to modernize their security tools and practices to protect their applications and data from modern, advanced cyber threats. The most effective approaches will be built on a unified platform that drives mature DevSecOps automation and harnesses AI to deal with distributed data at any scale. These platforms will provide the insights the entire business can rally behind and use to demonstrate compliance with stringent regulations.”
Also read: Runecast acquisition boosts Dynatrace’s security and analytics capabilities