Most organizations still prioritize software capabilities over risk, but shift is starting in light of software events affecting SolarWinds and CrowdStrike.
SettleTop released the first edition of the annual Global State of Software Risk (GSSR) Report 2024. The research highlights that 95% of organizations do not have a dedicated Senior Software Risk leader that reports to the senior management or board level on software risk.
Also Read: CIO Influence Interview with Serge Lucio, VP and GM of Agile Operations Division at Broadcom
In the 2024 GSSR Report, the SettleTop Research team, along with SNL Partners, a VC firm focused on disruptive technology solutions, conducted more than 150 interviews with senior executives and mid-level professionals across a range of markets including aerospace, automotive, financial, healthcare, manufacturing and government (local, state, federal) in both the US and throughout Europe. The report centered on the importance of software risk within an organization and across their respective software supply chain – specifically how organizations prioritize supply chain risk and their general readiness in dealing with software risk.
Every organization is a software operation, whether directly or indirectly. This can range from organizations developing their own software, to those simply leveraging 3rd party software tools for their operations. Software has been fundamental in driving productivity and revenues for many years. Yet, challenges can arise when software is not properly assessed, monitored and maintained. This creates an enormous burden on an organization to gain visibility into the ever-changing risk profile within one’s software supply chain, particularly as an organization’s technology stack becomes increasingly more complex with new technologies being introduced such as artificial intelligence (AI) and machine-learning (ML) tools. Even with data breaches and ransomware events on the rise, most organizations today still prioritize revenues and capabilities over risk.
“This year’s GSSR report illustrates an increased awareness and financial impact of software risk by organizations, in light of software events such as SolarWinds and CrowdStrike, yet how this is prioritized at an organization’s management or board level is still limited,” said Sunny Ahn, Co-Founder at SettleTop. “Software needs to be continuously monitored as it can have an enormous impact on an organization’s bottom line and reputation. Identifying, tracking and managing software risk will be necessary in strengthening the security of one’s software supply chain.”
Also Read: Navigating the Evolving Cyber Insurance Landscape: 7 Insights for CIOs
Additional key findings from the 2024 GSSR report include:
• Culture change is required for software risk to become a corporate-level priority. For many organizations, software risk is still viewed as a cost center. It can be complex, expensive and extremely time-consuming to manage. 72% of participants agree corporate culture must change in order for an organization to prioritize software risk. This requires top leadership commitment in not just talk but specific action.
• Context matters when it comes to software risk management – there is no ‘silver bullet’ solution. The mission of an organization will dictate how risk is defined and should be managed. There is no ‘silver bullet’ solution that solves for software risk. 75% of participants agree that software risk requires a combination of organization’s context + technology + human expertise + policy to be effective.
• Software Risk is a journey for an organization. It often starts at a program level, then a business unit, and eventually across the organization. Most organizations have incorporated some form of software risk analysis, particularly at a program or project level. Many large commercial organizations have already incorporated Open-Source Program Offices.
• AI is the next great opportunity and threat to organizations. 65% of participants believe that AI is the next biggest risk area for organizations moving forward… many do not have policies or procedures internally on how to deal with AI.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]