Time is money – and a cyber risk problem
The AI boom continues to shake up the world as we know it and fuel the rapid development of new technologies. Whilst this wave of innovation is exciting, it also comes with an unprecedented level of cyber risk exposure.
Like with anything cutting edge, regulation and compliance is playing catch-up when it comes to stopping malicious hackers. But there is another growing problem on the horizon. The scale and complexity of hacking has outpaced human capacity to respond, leading to an increase in flaw remediation time and, in turn, a greater exposure to exploitation and cyber threat.
Finding the flaws is the easy part, but companies are drowning in security debt as they struggle to compete with a growing attack surface and increasingly sophisticated cyber intrusions. This not only creates capacity issues for teams fixing the flaws but also exposes businesses to critical cyber threat.
EMEA Chief Technology Officer at Veracode.
Why time is of the essence when it comes to cyber security
The process of fixing flaws often begins in earnest but tapers off over time, with other priorities taking precedence. Unfortunately, the longer a flaw survives, the less likely it is to be resolved. Research has found the time it takes to fix flaws has skyrocketed, up 47% in five years and 327% in 15, now averaging 252 days. At this rate, businesses could be waiting more than 400 days to fix vulnerabilities by 2030, plunging them into a cycle of whack-a-mole with growing security debt.
But why is this happening?
Along with the evolution of sophisticated AI tools, cyber flaws have become increasingly complex and difficult to fix. As applications become bigger and incorporate more third-party components, the scope for potential flaws increases, making it more time consuming to remediate issues. Even if an in-house team is writing flawless code, the rest of the supply chain isn’t – 70% of applications have flaws in third-party code due to the use of open-source libraries.
Another developing problem is that many teams are under immense pressure to rapidly roll out new features, thus deprioritizing security fixes unless they are absolutely critical. Severity is no longer a major driver of flaw remediation, and more companies are sleepwalking into the red of security debt.
Left unresolved, organizations become more exposed to security breaches as fix times stretch and the software ecosystem grows in complexity. The exposure to breaches is set to increase as more teams adopt AI for code generation, and with almost three quarters of organizations having accrued some level of security debt, the issue is only going to worsen without action.
The knock-on effect of the digital skills gap
While it’s all too easy to point fingers at various teams for not prioritizing cyber risk fixes, the cause of delay isn’t only down to the complexity of the flaws. The developer shortage has been bubbling away for some time, and it is no surprise it is having a knock-on effect on security debt.
The combination of the increase in pressure to tackle cyber risks and the global skills shortage means developers are at breaking point. Finding developers or security specialists with both domain knowledge and security expertise is challenging. Until we find a way to close the digital skills gap, this limited capacity will delay fix timelines further.
Fixing flaws faster
But it’s not all doom and gloom. There are ways organizations can tackle the problem of security debt and get their cyber resilience back on track. By having visibility and proper integration across the whole Software Development Life Cycle (SDLC), companies are now able to prevent net new flaws through automation and feedback loops. This can be achieved at scale with AI, using existing AI capabilities to boost fix capacity and speed.
The upcoming cyber policy measures set to be introduced later this year will, in turn, be critical for the automation of flaw remediation. Legislation like the UK’s Cyber Security and Resilience Bill will be a long-term solution to help direct the entire supply chain on what needs to be fixed, whilst holding bad actors accountable.
Perhaps one of the most immediate solutions is for organizations to overhaul the ways in which they approach the black hole of security debt. With third-party flaws being one of the biggest contributors to security debt, it’s time companies properly evaluated the third parties with which they engage.
Avoiding those riddled with flaws by using software composition analysis (SCA) can slash major issues across applications. True prioritization is also essential – if everything is a priority, then nothing is. Working on the flaws that are most severe as quickly as possible is a quick win for time-poor developers.
Modern software security is all about remediating real risk with context and having visibility across the board, climbing out of the weeds of security debt specifics and using available technologies to act fast. With the software ecosystem ever-growing in complexity, it’s never been more important for organizations to tap into AI solutions and re-examine how they take on these cyber-attacks.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
The AI boom continues to shake up the world as we know it and fuel the rapid development of new technologies. Whilst this wave of innovation is exciting, it also comes with an unprecedented level of cyber risk exposure. Like with anything cutting edge, regulation and compliance is playing catch-up…
