Tech innovation helps organisations improve their digital processes, while cybersecurity tools give employers and employees the confidence to work remotely with less risk of successful cyberattacks. However, these tech innovations and cybersecurity measures may still have gaps, according to chief information security officers (CISOs) in software company Dynatrace's latest report.
The 2022 CISO Research Report found that 61% of organisations have a layered cybersecurity posture supported by five or more types of cybersecurity solutions. However, 75% of CISOs identified gaps allowing vulnerabilities into production, despite having a robust, multilayered cybersecurity posture.
“The growing use of microservices, Kubernetes, and serverless computing delivers greater business agility, but it also creates complexity for which many security solutions weren't designed. Even with the most robust, layered approaches to cybersecurity, many organizations still lack the ability to see inside today's dynamic containerized applications,” the report said. “They also struggle to access the context their teams need to distinguish a potential risk from a critical vulnerability that could be exploited. As a result, it's increasingly difficult for them to manage the security of their applications at runtime, allowing more vulnerabilities to escape into production.”
CISOs in the study also claimed that open-source software code may leave the back door unlocked as third-party libraries introduce significant security risks as they regularly contain vulnerabilities. Specifically, 25% of security teams can access a fully accurate, continuously updated report of every application and code library running in production in real time. Meanwhile, 33% of security teams do not always know which third-party code libraries they have running in production.
Additionally, CISOs warned that increased speed brings greater risk:
CISOs also claimed that relentless alert storms may blind security teams to the real threats, with 74% saying most security alerts and vulnerabilities are false positives that do not require action because they are not true exposures, and 69% saying the volume of alerts makes it difficult to prioritise vulnerabilities based on risk and impact.
Despite the gaps in cybersecurity measures, the report identified the key to cyber resilience: convergence of automation, observability, and security, with 80% of CISOs agreeing that security must be a shared responsibility across the software delivery lifecycle, and 79% saying automatic, continuous runtime vulnerability management is key to filling the gap in the capabilities of existing security solutions.