The vast majority of C-suite executives have reported becoming more concerned about software supply chain attacks in the two years since the SolarWinds Orion and Kaseya attacks.
A new survey of C-suite executives working in varying roles, conducted by CloudBees, showed 82% were either ‘somewhat more concerned’ (40%) or ‘much more concerned’ (42%) of attacks impacting their businesses than they were in 2019, before the two landmark cyber attacks.
Microsoft: ‘More than 1,000 engineers’ executed SolarWinds attack REvil demands $70 million ransom after Kaseya supply chain attack The C-suite could be the blind spot in your cyber security strategy
The results indicated that CEOs were the most perturbed by the prospect of a software supply chain attack out of all roles, more so than CISOs and CIOs.
Confidence in their own respective business’ software supply chain has dropped in the space of a year, too. Only 88% of executives believe their supply chain to be secure, a fall from 95% in 2021, and just 32% believe theirs to be ‘very secure’.
Despite the high degree of concern among most, a significant number of respondents reported not knowing who to engage if they became aware of a software supply chain attack.
Just half of UK executives knew who to engage in a time of crisis and the figure was largely similar across the C-suites from all countries other than Australia where 71% of executives said they would know how to respond.
The idea of having a physical and digital copy of an incident response playbook in every business has been encouraged by the cyber security industry for years.
Ransomware continues to be the main cyber threat for businesses so knowing how to act, what to do, and who to engage during an incident is considered to be hugely important.
The concern amongst executives for software supply chain attacks, like those that impacted SolarWinds and Kaseya, is reflected in the business priorities of those surveyed. More than three quarters said they prioritise security and compliance over the speed with which business can happen.
Regional differences in approaches are also apparent with businesses in the US, for example, placing more emphasis on security than the likes of the UK and Spain which both prioritise compliance.
CloudBees didn’t explain as to why the results differed in this way, but it could be due to the European countries being bound by the stricter GDPR than the US which does not have any equivalent legislation at the national level.
The focus on businesses staying resilient presents challenges with innovation, however. Most of those surveyed said compliance and security challenges, which often take time to overcome, were limiting the time available to the business to innovate.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
Significant amounts of time are spent completing compliance audits and assessing risks and defects, CloudBees said, which has seen many organisations adopt a ‘shift left’ approach which involves moving the software testing and evaluation processes earlier into the development lifecycle.
Although this places an additional burden on developers, most executives (83%) agreed that the approach was important to their business.
“These survey findings underscore the urgent need to transform the software security and compliance landscape,” said Prakash Sethuraman, chief information security officer at CloudBees. “As DevOps matures, security and compliance have taken centre stage as a source of significant friction.
“While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work. What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation.”
