Skip to main content
close search
site logo
Dive Brief

Organizational changes required to mitigate security risks

CIOs are implementing new strategies to lower the risk of software supply chain cyberattacks, but evaluating internal operations could prove more effective.

Published June 7, 2022
Lindsey Wilkinson's headshot
Reporter
software, code, computer

Markus Spiske
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • CIOs understand the threat of cyberattacks, but some still are not making the organizational changes to mitigate risk, research from Coleman Parkes sponsored by Venafi shows.
  • Of the 1,000 CIOs surveyed, 95% said their information security teams have authority over the security controls required to protect software supply chains. But almost one-third of the information security teams do not hold the power to carry out the policies they recommend, according to the report.
  • The board or CEO instructed nearly nine in 10 CIOs to improve the security of software development.

Dive Insight:

Software supply chain vulnerabilities command more CIO attention following a series of highly publicized compromises, from SolarWinds to Log4j. These attacks wrangled the attention of the board, leading to larger risk appetites and, of course, more responsibility.

Eight in ten CIOs surveyed believe software supply chain attacks could impact their company, according to the report. 

This security awareness from the highest levels of the company has led CIOs to execute specific strategies to combat vulnerabilities. Over half of CIOs have implemented more security controls and of code signing. Almost half of CIOs are looking at the origin of their open source libraries. 

Despite these initiatives, the root of the problem is grounded in the relationship, communication and collaboration — or lack thereof — between information security and development teams. 

“You still, unfortunately, have organizations where you've got a very dysfunctional relationship. Management hasn't communicated to development the importance and the need for security,” Dale Gardner, a senior director and analyst at Gartner, said. “Maybe security's not taking an appropriate approach to development.”

The divide between the two teams can have critical implications, the report found. Information security teams have little insight into how to approach securing vulnerable supply chains because they don’t have adequate knowledge of what the software engineering teams are doing.

As threats continue to target foundational aspects of software development, communication and collaboration must do the same in order to properly secure each piece of code.

“For CIOs, I think one of the most important things that they can do is [be] the vocal supporter of security efforts,” Gardner said.

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Tech Ambitions Collide with Reality: 2025 Technology Impact Report Exposes Critical Readiness…
From Omnia Strategy Group, LLC
October 21, 2024
Celonis Business Collaboration Networks Drive Process Improvement Across Company Boundaries
From Celonis
October 23, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell