CloudBees has published the results of its annual CloudBees 2022 Global C-suite Security report, which reveals that security and compliance challenges are major obstacles to most companies’ innovation strategies. Nearly all of the top executives surveyed agree that a shift-left security strategy burdens software development teams.
Three-quarters of senior executives globally say that compliance (76%) and security (75%) issues limit their company’s ability to innovate. This is due, in part, to the excessive time involved in compliance audits, risks and defects. In fact, the senior executives of companies state that their teams spend an average of almost two months (49 days a year) in compliance audits.
The burden on Shift Left developers
The executives surveyed say they are overwhelmingly favouring a “shift left” approach. This strategy consists of moving software testing and evaluation to the early phases of the software development life cycle, placing the burden of software development on developers.
The aspect of regulatory compliance. In fact, 83% of executives say this approach is important to them as a company, and 77% say they are implementing a “shift left” approach to security and compliance. This is even though 58% of managers report that moving security to the left burdens their developers.
Concerned about attacks on the software supply chain
More generally, almost all managers surveyed (97%) say they are concerned about attacks on the software supply chain, and two-thirds (67%) say they are very concerned. Despite this, 3 out of 5 managers say they would rather face a natural disaster than a security problem in their software supply chain.
According to the report, there is also a decrease in executives’ confidence in supply chain security and compliance, as well as greater attention to this point. In 2022, 88% of managers said that their software supply chain is secure or very secure, compared to 95% in 2021. In addition, 33% say that their software supply chain is fully compliant with regulations, which is 19% less than the previous year.
Of the managers who ensure that their software supply chain is a certain amount, 90% of those interviewed, but only 1 in 5 (20%) affirm that their supply chain is very secure. Regarding regulatory compliance, compared to 33% globally, only 16% of Spanish executives consider that their supply chain fully complies with regulations. However, more than half of surveyed (52%) affirm that it is almost completely compliant with regulations.
Along these lines, 86% of senior managers say they are more focused on regulatory compliance than two years ago, and 82% express greater concern about attacks. On the other hand, in the case of Spain, 81% of managers are now more concerned about attacks on their supply chain than they were two years ago, with almost half much more concerned and more than a third more worried.
Other notable conclusions
There are differences between countries regarding managers’ confidence regarding security and compliance: The survey reveals that US executives are the ones who think the most about security and regulatory compliance. At the same time, those and the United Kingdom spend the most time applying compliance policies. German managers demonstrate the lowest level of trust among all respondents, with 23% stating that their software supply chain is insecure.
When there is a choice between speed and security, security wins: More than three-quarters of managers (76%) say that it is more important to them to guarantee security and compliance with regulations than speed and compliance (24%). Companies’ managers are more committed to security and compliance, with 84% betting on security compared to 16% who value speed more.
Management teams trust their teams: Nine of 10 senior executives say their risk management team has the tools, knowledge, and experience to build and/or maintain a secure software supply chain.
Automation is useful, but only for some: Only 22% of managers say their software supply chain is fully automated, and 37% say they are close to achieving it. Similarly, 22% say that their compliance processes are fully automated, and 35% say they are close to achieving it.
The tools used are a mixed bag: Three in five (59%) managers say they have all, or nearly all, of the external tools they need to manage security and compliance, compared to 29% who say they use a mix of internal and external tools. Only 11% mainly use internal tools.