Our GovWare 2018 survey reveals current cyber security practices: Awareness is up, but resources are a challenge, and open source management is lacking.
In September 2018, Synopsys Software Integrity Group, Asia Pacific, participated in the 27th edition of GovernmentWare. The GovWare conference anchors Singapore International Cyber Week, which promotes the development and innovation of the cyber ecosystem through international and regional collaboration and cooperation. SICW draws thousands of cyber security practitioners from around the world, and this year was no exception: SICW 2018 participants included 60 speakers, 250 sponsors and exhibitors, and over 8,000 cyber security experts, leaders, and practitioners from over 50 countries.
With so many practitioners representing a wide range of organizations located across a vast geography, GovWare is an ideal venue to evaluate the current state of cyber security practices and concerns. So we surveyed 251 attendees—25 C-level executives, 14 other executives, 136 practitioners in middle management, and 76 others (including those in media, education, and so on)—about cyber security in their organizations. Here are some highlights (see the full GovWare 2018 survey results below):
Most respondents (57%) either said their organizations had no process for inventorying or managing open source use (30%) or denied that their organizations used open source at all (27%). These responses are particularly troubling, considering the widespread use of open source across all sectors. If organizations don’t know what open source they use—or mistakenly believe they don’t use open source at all—they can’t monitor it for newly discovered vulnerabilities, and they can’t apply patches.
Also, just because you can consume open source code freely doesn’t mean you can redistribute it freely. Many popular open source licenses require that any software containing the licensed code carry the same license—in other words, the source code has to be made public. Organizations expose themselves to significant risk in terms of both data breaches and loss of IP by not regularly scanning their software to evaluate its contents.
The good news is that nearly three-quarters of respondents (71%) said their organizations have an incident response plan in place to deal with a cyber attack. Even more (83%) said their organizations offer cyber security training for all employees (mostly mandatory formal training, at 53%). And a full 90% of respondents said their organizations have an application security process. The increase in these numbers year over year is a promising trend. But it’s a little surprising that even in 2018, a full 13% of respondents said their organizations do not have an incident response plan (and 16% weren’t sure). Also notable is that 10% of respondents said their organizations do not have a formal AppSec process (performed by either a dedicated internal team or a third-party vendor).
The similarity between the “no incident response plan” group and the “no formal AppSec process” group might not be a coincidence. It’s plausible that an organization without the resources for a formal AppSec process would also struggle with incident response, and vice versa. But is lack of resources the real explanation? What exactly is keeping these organizations from closing such critical gaps in their security programs? Respondents answered this question loud and clear: 56% said that lack of skilled security personnel or training was a challenge their organizations faced in implementing an application security program. Far fewer respondents mentioned budget (18%) or lack of management buy-in (17%).
While some of the results aren’t surprising, some are thought-provoking, and others are flashing warning signs. They’re worth digging into to see emerging trends. See the full GovWare 2018 survey results below, with the number of qualified respondents given for each question and answer choice. Note that some questions allowed for multiple responses, so percentages might add up to more than 100.
Multiple responses allowed
Multiple responses allowed