“Maintaining silence about these risks does not make them go away…” -Marc Goodman, Future Crimes

Most companies, big and small, with departments ranging from standard IT to highly specialized DevSecOps, have at least some formalized practices for preempting and reacting to application cybersecurity threats. The spectrum of this readiness, however, is vast. In fact, the spectrums are more like a matrix, with some large and highly technical organizations deprioritizing security, while some small organizations are investing significantly in it.

To illustrate this matrix of readiness across the board, let’s consider some stats:

• PwC reported in their Global State of Information Security Survey that as of 2018, 67% of respondents said they “have an Internet of Things (IoT) security strategy in place or are currently implementing one.” PwC’s report included responses from 9,500 executives in 122 countries across more than 75 industries.
• Yet despite this majority of respondents saying they have a security strategy in place (at least for IoT), according to CyberArk’s Global Advanced Threat Landscape Report 2018, a whopping 46% of IT execs in seven countries say they typically don’t change their cybersecurity strategies even after becoming victims of attacks. CyberArk’s survey wasn’t just on executives in general—it was for IT execs specifically.
• It goes on to report that 50% of these IT execs “admit their customers’ privacy or personally identifiable information could be at risk because their data is not secured beyond the legal minimums” (Wilczek, DarkReading). The disconnect between the general belief among execs from a variety of industries that their organization has a cybersecurity strategy in place, and the fact that even IT execs have major shortcomings in their strategies, is a cause for concern and further study.

Deja vu Security is a cybersecurity firm in Seattle, Washington that provides consulting services to many of the biggest players in technology. I’m a Founder there. My team focuses much of their attention on future trends in the industry; I believe that a strong contextual understanding of bleeding-edge cybersecurity issues is key to mitigating them. To that end, on behalf of Deja, I’m hosting a research survey intended to gauge the established systems (or lack thereof) related to application security in all types of organizations, with a focus on more detailed questions such as what kinds of products or services an organization produces; how many employees are in the organization and of those, how many are part of the application security team; and which secure app development controls are being used by the organization.

I’m particularly interested in these questions as they related to AppSec, and I want to know: Which industries seem best prepared? How are small- to mid-size organizations prioritizing AppSec issues? These are the data I want to compile to build a greater understanding of the current state of AppSec and a more detailed understanding of what the disparate matrix of organizational readiness looks like.

Unlike many related reports, I’d like to survey not just executives, but any IT, InfoSec, or cybersecurity practitioners or decisionmakers – regardless of title, organization size, or industry. You could be a director of cybersecurity for a global bank, or an entry-level software engineer for a car rental company: The point is that you work in technology, and you can help us better understand this strange and concerning spectrum of cybersecurity readiness across a variety of industries.

If you identify as someone working in or on tech at any level in any type of organization, consider answering a few questions about your organization’s security practices. Estimated time to completion is less than five minutes, and you can opt to receive a copy of the study once published.

Take the research survey here.

Questions? Email secure@dejavusecurity.com.