75% of Firms Deploy Vulnerable Code Amid Pressure on CISOs, Report Finds
75% of Firms Deploy Vulnerable Code Amid Pressure on CISOs, Report Finds
🚨 A new report reveals that nearly all Chief Information Security Officers (CISOs) have faced pressure to suppress or delay compliance-related cybersecurity issues in code, especially when business deadlines loom. According to research released on June 8 by Checkmarx, 95% of CISOs reported feeling pressured to deprioritize or delay the reporting of security issues by other parts of the business. As a result, 75% of those surveyed admitted that their organization had knowingly deployed vulnerable code into a production environment.
Reasons for Deployment
- 30% believed compensating controls sufficiently mitigated the risk.
- 27% pushed the code out to meet a business, feature, or security-related deadline.
- Another 27% stated that the vulnerability was not detected until after deployment.
Many respondents seem to accept that risk is an inherent part of deploying code: 30% hoped the vulnerability would go undiscovered, while 27% found the vulnerability too difficult or time-consuming to fix.
The Role of AI in Code Security
This situation arises as organizations increasingly adopt AI-generated code, which enhances efficiency but also introduces potential mistakes or vulnerabilities. Sandeep Johri, CEO of Checkmarx, emphasized, “This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it. A completely new model is required.” He cautioned that AI alone cannot secure code and, as the research indicates, it adds risk.
Challenges in Remediation
The report highlights significant challenges in fixing and remediating vulnerabilities. Only 9% of organizations reported fixing over 90% of vulnerabilities within 90 days, while nearly a third remediate fewer than half of the vulnerabilities in the same timeframe. This leaves organizations exposed to cyber threats. The report warns, “Every day a known vulnerability sits unpatched is a day the door is unlocked. The mean time to exploit has collapsed to minutes. Most organizations are still leaving their gates wide open for months.”
Optimism for the Future
Despite these challenges, the paper concludes that organizations remain optimistic about their security processes rising to meet the challenges of the AI era. Efforts being implemented include strengthening governance—particularly around AI—and reducing fragmentation across tools, teams, and processes. The report is based on responses from 2,350 CISOs, AppSec managers, and developers from organizations in 14 countries.