Three-Quarters of CISOs Admit App Security Incidents

Three-quarters (72%) of global CISOs have experienced an application security incident in the past two years, causing lost revenue and market share, according to Dynatrace.

The deep observability specialist polled 1300 CISOs and a handful of CEOs and CFOs to compile its latest report, The state of application security in 2024.

It revealed that app security incidents in many cases led to lost revenue (47%), regulatory fines (36%) and lost market share (28%).

Most respondents traced the problem back in part to poor CISO-board alignment, with 87% of CISOs claiming application security is a blind spot at the CEO and board level.

Read more on application security: UK to Place Security Requirements on App Developers and Store Operators

There appear to be multiple factors at play here. Some 70% of C-suite executives polled said security teams talk too much in technical terms without providing business context, while 75% of CISOs said security tools can’t generate insights the CEO and board can use to understand business risk.

CISOs are also worried about the growing role AI could play in undermining application security.

Over half (52%) of those polled said they are concerned about the potential for the technology to empower cybercriminals – enabling them to create new exploits faster and execute them on a broader scale.

A slightly smaller share (45%) complained that AI could enable developers to accelerate delivery of software without proper oversight, increasing the likelihood of buggy code making it into production.

Dynatrace CTO, Bernd Greifeneder, admitted that AI was a double-edged sword driving efficiency gains for both developers and those looking to compromise organizations via their applications.

“On the one hand, there’s a greater risk of developers introducing vulnerabilities through AI-generated code that has not been adequately tested, and on the other, cybercriminals can develop more automated and sophisticated attacks to exploit them,” he added.

“Adding further pain, organizations must also comply with emerging regulations such as the SEC mandate, which requires them to identify and report on the impact of attacks within four days. Organizations urgently need to modernize their security tools and practices to protect their applications and data from modern, advanced cyber-threats.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button