C-suite executives say software supply chain hacks have become a 'chief concern'

Mockup image depicting a CIO leading a team of business leaders
(Image credit: Shutterstock)

The vast majority of C-suite executives have reported becoming more concerned about software supply chain attacks in the two years since the SolarWinds Orion and Kaseya attacks.

A new survey of C-suite executives working in varying roles, conducted by CloudBees, showed 82% were either ‘somewhat more concerned’ (40%) or ‘much more concerned’ (42%) of attacks impacting their businesses than they were in 2019, before the two landmark cyber attacks.

The results indicated that CEOs were the most perturbed by the prospect of a software supply chain attack out of all roles, more so than CISOs and CIOs.

Confidence in their own respective business’ software supply chain has dropped in the space of a year, too. Only 88% of executives believe their supply chain to be secure, a fall from 95% in 2021, and just 32% believe theirs to be ‘very secure’.

Despite the high degree of concern among most, a significant number of respondents reported not knowing who to engage if they became aware of a software supply chain attack.

Just half of UK executives knew who to engage in a time of crisis and the figure was largely similar across the C-suites from all countries other than Australia where 71% of executives said they would know how to respond.

The idea of having a physical and digital copy of an incident response playbook in every business has been encouraged by the cyber security industry for years.

Ransomware continues to be the main cyber threat for businesses so knowing how to act, what to do, and who to engage during an incident is considered to be hugely important.

The concern amongst executives for software supply chain attacks, like those that impacted SolarWinds and Kaseya, is reflected in the business priorities of those surveyed. More than three quarters said they prioritise security and compliance over the speed with which business can happen.

Regional differences in approaches are also apparent with businesses in the US, for example, placing more emphasis on security than the likes of the UK and Spain which both prioritise compliance.

CloudBees didn’t explain as to why the results differed in this way, but it could be due to the European countries being bound by the stricter GDPR than the US which does not have any equivalent legislation at the national level.

The focus on businesses staying resilient presents challenges with innovation, however. Most of those surveyed said compliance and security challenges, which often take time to overcome, were limiting the time available to the business to innovate.

RELATED RESOURCE

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

FREE DOWNLOAD

Significant amounts of time are spent completing compliance audits and assessing risks and defects, CloudBees said, which has seen many organisations adopt a ‘shift left’ approach which involves moving the software testing and evaluation processes earlier into the development lifecycle.

Although this places an additional burden on developers, most executives (83%) agreed that the approach was important to their business.

“These survey findings underscore the urgent need to transform the software security and compliance landscape,” said Prakash Sethuraman, chief information security officer at CloudBees. “As DevOps matures, security and compliance have taken centre stage as a source of significant friction.

“While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work. What’s needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation.”

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.