Skip to main content
banner image
venafi logo

IT Experts Survey: Which Teams Should Own Cyber Security?

IT Experts Survey: Which Teams Should Own Cyber Security?

July 15, 2021 | Alexa Hernandez

It’s no secret that software supply chain attacks have recently increased at a worrying pace, and the SolarWinds SUNBURST attack is the latest occurrence in this rising trend. A Mongolian Certificate Authority experienced a supply chain attack, and a recent report revealed that North Korean cyber crime profits are up to $1 billion dollars annually. With the ever-changing security industry and the expanding threat landscape, it is more important than ever for organizations of all industries to invest in high quality cyber security teams and strategies.

This begs the question: within an organization, what team is actually responsible for securing software build and delivery environments? The consequences of not being on the same page could be dire, so Venafi conducted a global survey evaluating the impact of the SUNBURST, CodeCov and REvil attacks on how development organizations are changing their approach to cyber security. After examining the responses of over 1,000 information security professionals, developers, and executives in IT and software development, the results were very enlightening!

According to the survey, respondents nearly unanimously agree (97%) that the techniques and procedures used to attack SolarWinds software development environment will be reused in new attacks this year. Despite this certainty, there is no alignment between security and development teams on which team should be responsible for improving security in the software build and distribution environments. For example, when asked who is primarily responsible for improving the security of their organization’s software development environments, 48 percent of respondents say their security teams are responsible and 48 percent say their development teams are responsible.

“While the SUNBURST attack on SolarWinds was not the first of its kind, it was certainly one of the most serious so far,” said Kevin Bocek, Vice President of Security Strategy and Threat Intelligence at Venafi. “SUNBURST made it absolutely clear that every organization must take urgent, substantive actions to change the way we secure software build pipelines. The only way to reduce these risks is to dramatically improve the security of the development pipeline and the software it delivers. However, if we can’t even agree on who us responsible for taking these actions it’s pretty clear that we aren’t even close to making meaningful changes. Anyone hoping this problem has been addressed is kidding themselves.”

Additional survey findings survey include:
  • 80 percent of respondents say they are not completely confident in their organization’s ability to defend against attacks targeting software build environments. 
  • 69 percent of developer respondents believe developers are responsible for the security of their organization’s software build process. However, 67 percent of security respondents believe it is the security team’s responsibility.
  • When asked who should be responsible for the security of their organization’s software build process, 58 percent of security respondents say it should be their responsibility and 53 percent of developer respondents say it should be theirs. Just 8% of all respondents suggested that responsibility should be shared.

If those results don’t concern you, they should! Most organizations are dangerously unclear as to which teams have the incentive and directives they need to do their vital work. Bocek continues, “The only way to minimize the risk of future attacks is to enable developers to move fast, from idea to production, without compromising security. Speed of innovation and security are inseparable in software development. In the same way a Formula 1 engineer builds for performance and safety at the same time, software developers also need to be accountable for both. To accomplish this, developers clearly need help and support from security teams. Boards, CEOs, and managing directors need to take action to ensure clear lines of ownership so  changes are in place and they can hold teams accountable.”

So in the end, who should be responsible for cyber security?

Ultimately, the only wrong answer to this question is not having an answer at all! There’s nothing wrong with different organizations preferring different approaches to securing software build pipelines. The only thing that really matters is whether every single member of your team is crystal clear on what processes they own, and that every aspect of your security strategy is owned by someone. Leaving information that critical up to interperpretation will unquestionably leave you vulnerable to attack.

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more