CISO study raises questions over multi-layered security approach

75% of CISOs, despite having a multi-layered security stance, say that persistent coverage gaps allow vulnerabilities into production.

This was among the key findings in US intelligence company Dynatrace’s recent survey of 1,300 chief information security officers (CISOs) in large-size organisations.

The results suggest that the speed and complexity created by using multicloud environments, multiple coding languages, and open source software libraries are making vulnerability management “more difficult”, according to 69% of CISOS

This has been driven by the increasing need to accelerate digital transformation, with most CISOs (79%) finding automatic, continuous runtime vulnerability management “key” to filling the gap in the capabilities of existing security solutions.

However, according to Dynatrace, only 4% of organisations said they have real-time visibility into runtime vulnerabilities in containerised production environments, and only 25% of security teams can access an accurate and updated report of every application and code library running in production in real time.

“These findings underscore that there are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defenses might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production,” said Bernd Greifeneder, chief technology officer at Dynatrace.

Greifeneder added that most organisations still “lack” real-time visibility into runtime vulnerabilities. He said the problem stems from the “growing use” of cloud-native delivery practices, which enable greater business agility, but also introduce “new complexity” for vulnerability management, attack detection, and blocking.

“The rapid pace of digital transformation means that already overstretched teams are bombarded by thousands of security alerts that make it impossible to see through the noise and focus on what matters. Teams find it impossible to respond manually to every alert, and organisations are exposed to unnecessary risk by allowing vulnerabilities to escape into production,” he explained.

When it comes to potential application security vulnerability alerts, on average, the US intelligence company reported that organisations receive 2,027 alerts each month.

Less than a third (32%) of these alerts organisations receive each day require action, compared to 42% last year, and on average, application security teams “waste” 28% of their time on vulnerability management tasks that could be automated.

“Organisations realise that to manage vulnerabilities in the cloud-native era effectively, security must become a shared responsibility. The convergence of observability and security is critical to providing development, operations, and security teams with the context needed to understand how their applications are connected, where the vulnerabilities lie, and which need to be prioritised,” continued Greifeneder.

He said that to be “truly effective”, organisations should look for solutions that have AI and automation capabilities at their core, enabling AISecDevOps. Teams will be able identify “vulnerabilities at runtime, block attacks in real time, and remediate software flaws before they can be exploited”.

“Instead, they confidently deliver better, more secure software faster,” concluded the Dynatrace exec.