Header background

2024 CISO Report: The state of application security

A lack of understanding of security posture between security leaders (including CISOs) and top executives (C-suite) is putting organizations at greater risk of cyber threats.

DevSecOps teams struggle to align with top executives on implementing key security measures and practices. This communication gap leaves companies blind to security risks, especially as AI-powered cyber-attacks become more common. Organizations are failing to fight cyberattacks properly because their teams cannot effectively communicate and collaborate.

In this year’s CISO report, “The state of application security in 2024”, Dynatrace investigated these communication gaps to discover how a combined focus on complete system visibility and security can improve teamwork and decrease vulnerability to cyber threats.

Cybersecurity is a board-level issue

This report touches on the fact that cybersecurity has become a critical C-suite and boardroom concern. Data breaches can cripple organizations, leading to hefty fines, shattered trust, and lost market share. New regulations hold leaders personally responsible for cybersecurity preparedness.

Ignoring cybersecurity is no longer an option. While executives are involved in cybersecurity discussions, their focus often centers on meeting regulations and well-known threats like phishing or ransomware. This leaves a gap in understanding the hidden dangers, like weaknesses in application security, which can have a significant impact on day-to-day operations.

In this year’s CISO report, dive into exploring CISOs and the challenges they face in educating leadership about cybersecurity risks. The report reveals how a combined observability and security approach can be their key to engaging the C-suite and ultimately strengthening the organization’s overall cybersecurity posture.

Security leaders must replace technical jargon with precise messages about business risk

In today’s digital landscape, relentless attackers hunt for weaknesses to steal data. While C-suite awareness is rising, CISOs need better ways to communicate cyber threats and build a shared security culture. Many organizations are falling short of bringing security to the forefront of boardroom discussions. For example, only 65% of organizations regularly require CISOs to report to the CEO and board on their cybersecurity risk and compliance posture. 

While C-suite leaders are increasingly interested in cybersecurity, a technical knowledge gap often creates a disconnect. 83% of CISOs say their board of directors and CEO need to understand their security posture better so they can assess business risk and compliance requirements. 

Executives’ priorities may differ from the IT team’s and CISOs, leading to inconsistencies. To bridge this gap, CISOs need to elevate the cybersecurity conversation. Instead of focusing on technical details, they should translate threats into business risks the C-suite can understand. 70% of C-suite executives say security teams often talk in technical terms without providing business context and believe the CISO is responsible for bridging the gap.

Application security is an Achilles’ heel

Cloud applications are a major target for cyber attackers, with 72% of organizations suffering a related security incident in the past two years. This alarming trend has propelled application security to the forefront of risk management for both IT and business leaders.

CISOs haven’t identified a dependable method to providing the board with clear information and insight into their organization’s application security risk posture and weaknesses. In fact, the 2024 CISO Report found that 87% of CISOs say application security is a blind spot at the CEO and board level.

This leaves executives in the dark about potential threats, making it hard for them to make informed decisions to protect the company from disruptions, financial losses, and damaged reputation. 82% of CISOs say they urgently need to increase the visibility of their CEO and board into application security risk to enable more informed decisions to strengthen defenses.

The SolarWinds and MOVEit attacks brought to light a major weakness in the security industry: dependence on third-party software. Many organizations are now rethinking how they manage cyber risk from third-party vendors.

In fact, 50% of CISOs have not yet brought third-party software bills of materials (SBOMs) into their organization’s risk management practices. 

Just knowing a third-party vulnerability exists isn’t enough. Security teams need to move fast to understand the following:

  • How widespread is the issue in our systems?
  • How serious is the business risk?
  • Has it been exploited, and if so, what damage has it caused?

Additionally, it’s vital to share the learned insight with C-suite leaders and board members.

Automation across the DevSecOps lifecycle is central to risk management

As technology races forward, organizationss are turning to automation throughout the software development process (DevOps) to minimize security risks and meet regulations. According to the 2024 CISO Report, 71% of CISOs say DevSecOps automation is critical to ensuring reasonable measures have been taken to minimize application security risk.

To truly speed up innovation, companies need robust DevSecOps automation. But, only 11% of CISOs say their organization has mature DevSecOps automation practices.

DevSecOps automation streamlines development and security checks, catching vulnerabilities early and reducing human error. However, many organizations are still in the early stages, hindered by fragmented processes. Breaking down these silos is key to unlocking the full potential of DevSecOps automation.

Traditional tools and practices have limited value in the cloud-native, AI-driven threat landscape

Cloud complexity is breaking traditional security tools. Log-based security information and event management (SIEM) and extended detection and response (XDR) just cannot handle today’s dynamic cloud environments. This leaves security teams blind, unable to provide the data-driven insights CEOs and boards need to understand their cyber risk. 

The rise of AI is a double-edged sword. It fuels innovation for developers, but also arms attackers with tools to craft faster, more potent exploits. There is a 52% risk of cybercriminals using AI to create new vulnerability exploits faster and execute them on a wider scale. To stay ahead in this dynamic threat landscape, organizations urgently need to modernize their security practices.

79% of CISOs say vulnerability management and threat detection, investigation, and response can no longer be siloed processes. It’s vital now more than ever to have a single system that automates DevSecOps, uses AI to analyze massive data sets, and gives teams the end-to-end visibility they need to keep applications and data safe.

The 2024 CISO Report: How Dynatrace unites security and business leaders

Dynatrace® Application Security, built into the Dynatrace® platform, keeps your cloud-native applications, containers, and Kubernetes deployments safe. Here’s how:

  • Developers: Dynatrace automatically detects vulnerabilities in running applications, so teams can fix real problems and not waste time on false alarms.
  • Security teams: The platform continuously scans for threats and automatically blocks attacks in real-time, giving teams peace of mind.
  • C-suite: By combining observability and security data, the platform eliminates blind spots and provides confidence that applications are secure.

This report is based on a global survey of 1,300 CISOs and ten interviews with CEOs and CFOs in enterprises with over 1,000 employees. It was commissioned by Dynatrace and conducted by Coleman Parkes between March and April 2024.