Study finds big gap about app security between execs and IT staffers

When it comes to application security within organizations, there's a significant gap about it between executives and practitioners, according to a study released Tuesday by the Ponemon Institute and Security Innovation.

While a majority of executives (67%), directors (64%) and managers (58%) believe their company's application security program is mature, less than a third of technicians (27%) and staff (33%) buy into that perception, according to the study.

Executives see their organizations' application security program as far more mature than those at the managerial level and below, the study found. "This may be due to poor communication and collaboration among the different roles involved in application security.

"Such misalignment of priorities makes it difficult for practitioners to obtain the resources necessary to invest in application security and make it an integral part of the overall risk management strategy," the study said.

[See also: Do your employees choose data protection or productivity?]

The disconnect in perceptions means organizations may not always get the best bang for their security buck. "It may be why we're spending more dollars on areas of lower risk," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.

"For example," he continued, "network security is still the largest ticket item in the security arsenal and application security is relatively low, even though many practitioners view the application layer as presenting a higher risk than the network layer or other parts of the security infrastructure."

Ed Adams, president and CEO of Security Innovation, an application security company, said the software layer, by far, has the most security vulnerabilities -- more than the network layer, more than the operating system layer.

"Yet, you've got the majority of the IT security spend going into fire walls and intrusion detection systems and intrusion prevention systems," Adams said in an interview.

Perception discrepancies may help explain why security problems constantly nag applications used by companies, he added. "You've got the folks who are actually doing the work saying two out of three times, 'No, we do not have a mature applications security program,'" he said. "Yet, the executives and directors who own the budget, two out of three of them think they do have a mature application security program.

"This perception gap is, to me, telling of why we have so many problems with software applications continuing to be hacked," Adams said. "You've got management not really having a clue of what's going on with software development.

A similar perception chasm appears relative to training. Most executives (71%) and directors (66%) said they believed their organization's internal training and education programs were being updated to ensure that development teams can handle the latest threats, application security policies and best practices. Only one in five technicians (19%) and staff (20%) agreed with the brass on that subject.

"There may be a training program being rolled out," Adams said, "but it's clearly ineffective for the folks that are getting trained.

"Given the changing pace of technology, it's imperative that you keep your teams up to speed with respect to security issues," he continued. "The technical teams clearly feel like they're getting left behind and not trained, whereas executives and directors think everything is fine in that respect."

In their study, the researchers identified five stages in the development of application securityin a typical organization. It starts with "no focus on security," moves to reacting to security problems as they rise and ends up at standardized and defined policies, threat modeling and continuous process improvement based on risk metrics and analysis of discovered vulnerabilities.

"Companies that invest in people and process mature through those five levels faster and with fewer computer incidents than organizations that first invest in technology and tools," Adams said. "That's a data point that I'd like to shout off every roof top and get in front of every CEO and CFO, because they're the ones making those budget decisions."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags App SecurityLarry PonemonapplicationssecurityData Protection | Application SecurityAccess control and authenticationPonemon InstitutesoftwareSecurity Innovationdata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place