Dive Brief:
- CIOs understand the threat of cyberattacks, but some still are not making the organizational changes to mitigate risk, research from Coleman Parkes sponsored by Venafi shows.
- Of the 1,000 CIOs surveyed, 95% said their information security teams have authority over the security controls required to protect software supply chains. But almost one-third of the information security teams do not hold the power to carry out the policies they recommend, according to the report.
- The board or CEO instructed nearly nine in 10 CIOs to improve the security of software development.
Dive Insight:
Software supply chain vulnerabilities command more CIO attention following a series of highly publicized compromises, from SolarWinds to Log4j. These attacks wrangled the attention of the board, leading to larger risk appetites and, of course, more responsibility.
Eight in ten CIOs surveyed believe software supply chain attacks could impact their company, according to the report.
This security awareness from the highest levels of the company has led CIOs to execute specific strategies to combat vulnerabilities. Over half of CIOs have implemented more security controls and of code signing. Almost half of CIOs are looking at the origin of their open source libraries.
Despite these initiatives, the root of the problem is grounded in the relationship, communication and collaboration — or lack thereof — between information security and development teams.
“You still, unfortunately, have organizations where you've got a very dysfunctional relationship. Management hasn't communicated to development the importance and the need for security,” Dale Gardner, a senior director and analyst at Gartner, said. “Maybe security's not taking an appropriate approach to development.”
The divide between the two teams can have critical implications, the report found. Information security teams have little insight into how to approach securing vulnerable supply chains because they don’t have adequate knowledge of what the software engineering teams are doing.
As threats continue to target foundational aspects of software development, communication and collaboration must do the same in order to properly secure each piece of code.
“For CIOs, I think one of the most important things that they can do is [be] the vocal supporter of security efforts,” Gardner said.