Executives and Technical Staff Don’t Agree on Maturity of Application Security Programs

“Current State of Application Security” study released by Ponemon and Security Innovation

A new study released by Security Innovation and The Ponemon Institute shows that executives and practitioners don’t see eye-to-eye when it comes to the maturity of the organization’s application security program.

642 executives and technical employees have taken part in the study called “Current State of Application Security .”

The figures show that 71% of the executives believe that application security training is available and up-to-date. On the other hand, when asked about the availability of security training, only 20% of technical staff had a positive response.

The contradictions don’t end here. While 67% of execs say their organization has a mature application security program, only 33% of practitioners agree.

When it comes to secure architecture, 75% of executives believe it exists. Less than a quarter of technical staff had the same answer.

“Research has shown that the application layer is responsible for over 90% of all security vulnerabilities, yet more than 80% of IT security spending continues to be at the network and endpoint layer,” commented Dr. Larry Ponemon, founder of the Ponemon Institute.

“Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications.”

Ed Adams, CEO of Security Innovation, said, “This collective data has shown that many organizations do not yet consider the need to proactively do something about application security. These organizations either don’t realize that applications pose the biggest threat to their business, or they’re taking a ‘do the least amount possible’ approach.”

Adams added, “Both mentalities are exactly the reason that hackers continue to target the application layer successfully; it is much weaker and easier to penetrate than network defenses. The technical staff seem to understand this; however, the executives, who hold the budget, clearly have a different perception.”

The complete report can be downloaded here (registration required).

Hot right now  ·  Latest news