C-level execs confident in their software supply chain security, but challenges remain

A survey of C-level executives released by CloudBees reveals high confidence levels in software supply chain security but a limited understanding of the essential components that make a software supply chain secure. The survey also reveals that among nearly all companies, supply chain security is a higher priority than just two years ago.

Executives overwhelmingly claim their software supply chains are secure (95%) or very secure (55%) and 93% say they are prepared to deal with an issue such as ransomware or a cyberattack on their supply chain. However, when asked additional questions about the security of their supply chains, the responses uncover vulnerabilities.

Software supply chain security initiatives halfway complete or less

45% of executives admit that initiatives to secure their software supply chains are halfway complete or less, and 64% say they are not sure who they would turn to first if their supply chain was attacked.

“It’s critical that software supply chains operate in the most secure and compliant manner possible. These findings show that while leaders are confident on the surface, they are also aware of security and planning gaps that could expose companies to significant business disruption, regulator and customer concerns and negative brand impact,” said Prakash Sethuraman, CISO, CloudBees.

“For a software supply chain to be secure, it must be continuously verified throughout the entire lifecycle in real-time – from commit all the way through to production. We’re encouraged to see that companies are focused on the development piece, but they need to look holistically end-to-end.”

Many companies are not prepared to respond quickly

The survey also reveals that many companies are not prepared to respond quickly when an attack or breach happens. Among executive respondents, 64% say it would take more than four days to fix the problem if they did experience an issue.

For a Fortune 500 company, this could result in the loss of millions in revenue and create significant reputational harm. And, while 93% of executives say they routinely practice dealing with a supply chain production vulnerability, 58% say that if they experienced one they have no idea what their company would do.

As companies rely even more heavily on software to drive mission-critical business needs, trends show an increasing number of attacks pushing this issue to be top of mind in boardrooms.

95% of C-level executives say they think more about securing the supply chain now than they did just two years ago, and 92% said a security issue would impact their brand. The results of the survey of 500 C-suite leaders in the United States, United Kingdom, Germany and France reflect a growing concern over the security of the world’s delivery and distribution of software.

Additional findings

• Disruptions impact employees and innovation: 83% of C-suite executives say having security issues causes their developers to drop everything to review code, which in turn causes other business disruptions. By dealing with security issues, 82% of executives say they are losing time employees could be spending on innovation.
• Responses vary by size and locale: Smaller companies are more confident in their ability to deal with supply chain issues than larger companies. Between countries, C-suites in the U.S. are most confident about the security of their software supply chains and those from France are the least confident.
• Technical issues are on the agenda: 95% of executives say container images are checked for high or critical vulnerabilities and their automation access keys are set to expire automatically, while 92% say their company only accepts commits signed with a developer GPG key. Nine in ten C-suite executives say dependencies to trusted registries are limited at their organization (90%) and that administrative access to CI/CD tools is restricted (89%).