The gap between application development and cybersecurity is growing, with firms increasing budget for the former while execs fail to grasp the severity of current threats, according to CA Veracode.
The security vendor polled over 1400 business leaders in the UK, US and Germany to compile its Securing the Digital Economy report.
While a fifth of respondents claimed their software budget had grown 50% over the past three years to support digital transformation, only half appeared to understand the risks posed by vulnerable software.
What’s more, a quarter of those polled did not understand any of six very common threats, including ransomware, phishing, DDoS and malicious employee activity.
This head-in-the-sand approach over security was evident in several other surprising answers.
Just a third of respondents said they’d heard of WannaCry and only 10% claimed it had forced a rethink on security.
Even more surprisingly, just 5% said the Equifax breach had caused them to reconsider their own organization’s approach to cybersecurity, despite the firm’s former CEO being forced to testify before Congress.
It’s not all bad news: a third of business leaders interviewed said an attack on another company had forced a rethink, with many taking steps to improve security.
CA Veracode CTO, Chris Wysopal, told Infosecurity that it’s no surprise organizations are pursuing digital transformation projects, often by accelerating and expanding software development efforts.
“However, our research has found that many still remain ignorant to the common threats that their businesses are facing, which is translating into a lacklustre approach to improving existing cybersecurity defenses,” he added.
“It’s therefore essential that as well as communicating the opportunities created through digital transformation projects, that IT leaders ensure the C-suite appreciate the increased risk that the explosion of software introduces.”
One way to do this could be to introduce the idea of personal liability. Over a third of those polled claimed the personal risk to execs outweighed compliance as a driver.
Articulating brand damage resulting from a breach (38%) and the risk to board members’ job security (35%) were also recommended as key ways to engage the board in cybersecurity. Interestingly, only 29% suggested that mentioning regulatory fines would get their attention.
In its 2018 prediction report, Paradigm Shifts, Trend Micro argued that executives would only heed the forthcoming EU GDPR once regulators start to levy massive fines on specific companies and lawsuits follow.
A previous report from the vendor earlier this year found that C-level execs in over half (57%) of businesses shun responsibility for GDPR compliance while many aren’t even aware what personally identifiable information (PII) is.