CISOs struggle to manage risk due to DevSecOps inefficiencies

As their hybrid and multicloud environments become more complex, and teams continue to rely on manual processes that make it easier for vulnerabilities to slip into production environments, CISOs find it increasingly difficult to keep their software secure, according to Dynatrace.

The continued use of siloed tools for development, delivery, and security tasks is hindering the maturity of DevSecOps adoption. This highlights the growing need for the convergence of observability and security to fuel data-driven automation that enables development, security, and IT operations teams to deliver faster, more secure innovation.

Automated vulnerability management

• 68% of CISOs say vulnerability management is more difficult because the complexity of their software supply chain and cloud ecosystem has increased.
• Only 50% of CISOs are fully confident that the software delivered by development teams has been completely tested for vulnerabilities before going live in production environments.
• 77% of CISOs say it’s a challenge to prioritize vulnerabilities because they lack information about the risk these vulnerabilities pose to their environment.
• 58% of the vulnerability alerts that security scanners alone flag as “critical” are not important in production, wasting valuable development time chasing down false positives.
• On average, each member of development and application security teams spends 28% of their time – or 11 hours each week – on vulnerability management tasks that could be automated.

“Organizations are struggling to balance the need for faster innovation with the governance and security controls they established to keep their services and data safe,” said Bernd Greifeneder, CTO at Dynatrace.

“The growing complexity of software supply chains and the cloud-native technology stacks that provide the foundation for digital innovation make it increasingly difficult to quickly identify, assess, and prioritize response efforts when new vulnerabilities emerge. These tasks have grown beyond human ability to manage. Development, security, and IT teams are finding that the vulnerability management controls they have in place are no longer adequate in today’s dynamic digital world, which exposes their businesses to unacceptable risk,” Greifeneder continued.

The benefits of DevSecOps adoption

• 75% of CISOs say the prevalence of team silos and point solutions throughout the DevSecOps lifecycle makes it easier for vulnerabilities to slip into production.
• 81% of CISOs say they will see more vulnerability exploits if they can’t make DevSecOps work more effectively; however, just 12% of organizations have a mature DevSecOps culture.
• 86% of CISOs say AI and automation are critical to the success of DevSecOps and overcoming resource challenges.
• 76% of CISOs say the time it takes between the discovery of zero-day attacks and their ability to patch every instance is a significant challenge to minimizing risk.

“Despite a widespread understanding of the many benefits of DevSecOps, most organizations remain in the early stages of adopting these practices due to siloed data that lacks context and limits analytics,” continued Greifeneder.

“To overcome this, they should use solutions that converge observability and security data and are powered by trusted AI and intelligent automation. This is precisely what we architected the Dynatrace platform to do. As a result, our customers have reduced the time they spend identifying and prioritizing vulnerabilities by up to 95 percent, helping them deliver faster, more secure innovation that keeps them at the forefront of their industries,” Greifeneder concluded.