Nearly all CISOs have felt pressured to suppress or delay compliance-related cybersecurity issues in code, especially when business deadlines need to be hit, a new report has warned.
According to the research, released on Jun 8 by Checkmarx, 95% of CISOs said they faced pressure to deprioritize or delay reporting of security issues by other parts of the business.
As a result of this pressure, 75% of those surveyed said that their organization had knowingly deployed vulnerable code into a production environment.
When asked why this code had been deployed, 30% responded that compensating controls were believed to sufficiently mitigate the risk and 27% said it was pushed out to meet a business, feature or security-related deadline. Meanwhile, a further 27% said that the vulnerability in the code was not detected until after deployment.
According to the survey, many respondents seem to believe that risk is just something that is associated with deploying code: 30% said they just hoped the vulnerability would not be discovered, while another 27% of respondents said the vulnerability was too difficult or time-consuming to fix.
All of this comes at a time when organizations are embracing the use of AI-generated code which boosts efficiency but also risks containing mistakes or vulnerabilities. An approach solely reliant on AI could therefore leave organizations vulnerable to cyber threats.
“This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it. A completely new model is required,” said Sandeep Johri, CEO of Checkmarx.
“Just like the student cannot grade their own exam, AI alone cannot secure code – and, as the research shows, it adds risk. Organizations need security that combines deterministic precision with probabilistic reasoning to identify novel exploitable patterns, while closing the gap between finding a vulnerability and fixing it with better human-guided remediation,” he added.
Read More: What Fronter AI Models Like Mythos and GPT-Cyber Mean for Modern Cybersecurity
The research also pointed to challenges around fixing and remediating vulnerabilities. Only 9% of organizations reported that they fix over 90% of vulnerabilities within 90 days, while almost a third remediate fewer than half of the vulnerabilities within the same timeframe.
This is leaving organizations vulnerable to cyber threats, especially in a post-Mythos era where new vulnerabilities are being uncovered faster than ever before.
“Every day a known vulnerability sits unpatched is a day the door is unlocked. The mean time to exploit has collapsed to minutes. Most organizations are still leaving their gates wide open for months,” warned the report.
Nonetheless, the paper concluded that organizations are optimistic that their security processes will rise to the challenge of meeting security needs in the AI era.
Efforts which organizations are implementing include strengthening governance – particularly around AI – and reducing fragmentation across tools, teams and processes.
The report was based on responses from 2350 CISOs, AppSec managers and developers from organizations in 14 countries.
