Business Leaders Only Address Cybersecurity Under Duress
December 14, 2017

Chris Wysopal
CA Veracode

Around one in five business leaders indicating that their software budget had increased 50 percent or more over the past three years to support digital transformation projects. However, the increased software development investment has not translated to greater security budgets or awareness of the security risks insecure software introduces: only 50 percent of business leaders surveyed understand the risk that vulnerable software poses to their business, according to Securing the Digital Economy, a report from Veracode, acquired by CA Technologies.

The report indicates that 25 percent of all business leaders surveyed in Britain and US report that they do not understand any of these common cybersecurity threats:

■ Vulnerable software

■ Ransomware

■ Vulnerable open source components

■ Phishing attacks

■ Malicious employee activity

■ DDoS attacks

Business Leaders Not Aware of High-Profile Cyberattacks

The lack of understanding around cyber risk may be attributed in part to a lack of awareness of successful cyberattacks and their causes. Because business leaders are unaware of either the breaches themselves or the underlying causes, they are not compelled to learn about or defend against similar threats their company could face. For example:

■ Despite being highly publicized and causing several high-level executives to lose their jobs and the ex-CEO being forced to testify to Congress, only five percent of all business leaders surveyed indicated the Equifax breach prompted them to rethink their current business’s approach to cybersecurity security;

■ Only one-third of business leaders surveyed had heard of the global WannaCry ransomware attack, although awareness was greater among British business leaders at 40 percent. Just one in 10 reported it led them to rethink their approach to cybersecurity;

■ Fifteen percent of business leaders surveyed in Britain and 19 percent of German business leaders had not heard of any of the high-profile cyberattacks listed in the survey (full list can be found in this chart); while just under half of all US, GB and German respondents reported cyberattacks have not led their current business to rethink or update their cybersecurity approach.

We are seeing some shift in awareness, of the 33 percent who indicated that a cyberattack on another company had led their business to rethink its approach to cybersecurity, many have either taken steps to improve their software security or plan to over the next 12 months.

More than one-third (34 percent) have or will over the next 12 months start scanning or already more regularly scan for vulnerabilities in software; while one-fifth either have or will set security thresholds for software built by third-party providers and for all commercial out-of-the-box applications (22 percent and 20 percent, respectively).

While there may be some shift in awareness, not all business leaders have woken up to the risks of the evolving cyber threat landscape. One-third of business leaders surveyed revealed that they plan to take no new steps to improve their organizations’ overall cybersecurity in the next 12 months.

Digital transformation presents both massive opportunity to innovate and significant security risks, with 77 percent of applications having at least one vulnerability when first scanned, which could be exploited to inject ransomware or steal data.

Many business leaders have yet to fully grasp the most common cyber threats to their business, nor are they keeping up with some of the most catastrophic cyber events of our time. We need to bridge this disconnect between business leaders and the cybersecurity threat: without greater awareness of the threats and what is needed to defend against them, their company could easily be the next headline.”

Executives Will Act When You Talk About the Personal Risk

While high profile breaches do not in themselves prompt great change in behavior, when confronted with the possibility of personal accountability in the event of a breach, executives are more likely to take action. More than a third of the business leaders surveyed said the personal risk to executives outstripped compliance as a driver for board members.

Articulating the potential brand damage for senior executives from a data breach and the risk to their job security was recommended by 38 percent and 35 percent of business leaders surveyed, respectively, as a way to engage a board on cybersecurity, compared to just 29 percent who suggested that highlighting the potential fines of data protection regulations, like GDPR.


Methodology: CA Veracode commissioned YouGov to survey 1,403 business leaders across Britain (653), the US (506) and Germany (244) about their company’s digital transformation initiatives and understanding of cybersecurity. The polling was conducted online over a nine-day period between September 25 and October 4, 2017.

Chris Wysopal is Co-Founder and CTO of CA Veracode
Share this

Industry News

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.

December 03, 2019

Styra is addressing one of the most significant enterprise blockers of Kubernetes: compliance. With Styra, enterprises can move Kubernetes clusters into production en masse while complying with traditional governance, audit, and compliance rules and regulations.

December 03, 2019

Nureva added 13 agile-themed templates to Span Workspace, Nureva’s expansive cloud-based digital canvas for visual planning and team collaboration.

December 03, 2019

Threat Stack announced support for AWS Fargate in the Threat Stack Cloud Security Platform.

December 02, 2019

Tricentis announced the publication of Enterprise Continuous Testing: Transforming Testing for Agile and DevOps, written by Tricentis Founder Wolfgang Platz and Cynthia Dunlop.

December 02, 2019

JFrog announced the availability of the popular JFrog Platform subscription package Cloud Pro X on AWS Marketplace.

December 02, 2019

MuleSoft will extend its Anypoint Runtime Fabric to run on Google Cloud.

November 26, 2019

NeuVector announced the immediate availability of its “Security Policy as Code” capability for Kubernetes services.

November 26, 2019

Agile Stacks announced the launch of KubeFlex, a new cloud-native software platform enabling zero-touch Kubernetes deployments in data centers and at the edge.

November 26, 2019

Bacula Systems announced significant enhancements to its backup module for Kubernetes clusters.