The state of application security

in 2024
The imperative of driving closer alignment among the CISO, CEO, and board
Dynatrace C-Suite Insights Report

©2024 Dynatrace
What's inside
CHAPTER ONE CHAPTER FIVE

Security leaders need to replace technical jargon with precise messages Traditional tools and practices have limited value in the cloud-native,
about business risk AI-driven threat landscape

CHAPTER TWO CONCLUSION

Application security is an Achilles’ heel The unique value of Dynatrace

CHAPTER THREE APPENDIX

SolarWinds and MOVEit incidents have given third-party risk management Methodology and global data summary
new urgency

CHAPTER FOUR

Automation across the DevSecOps lifecycle is central to risk management

The state of application security in 2024 | 2

Introduction
There is no doubt that cybersecurity has become a This report examines the challenges that chief
board-level issue. The impact of a data breach can range information security officers (CISOs) face in increasing VOICE OF THE CEO
from regulatory fines to damaged consumer trust and their organization’s understanding of these issues.
brand reputation or even reduced market share. New It highlights how a unified observability and security
“Our investors remain concerned
regulations are also increasingly holding organizational strategy can help them engage the wider C suite to about the financial risks
leaders accountable for their ability to prepare and improve their organization’s risk posture. associated with cyberattacks.
respond to security incidents. These factors have elevated
[Being a company that holds
cybersecurity to a C-suite and board-level concern.
customers’ data,] another
However, executive engagement has often been limited
to conversations around regulatory compliance and high-
primary concern is…that their
profile or user-centric security risks, such as phishing information and back-end data
attacks, ransomware, or the use of mobile devices among are safe and secure.”
an increasingly hybrid workforce. There is often less
— CEO, U.S. software and technology company
understanding of the material operational effects created
by other, more technology-centric risks, such as gaps in
the organization’s application security posture.

The state of application security in 2024 | 3

CHAPTER ONE

Security leaders need to replace technical jargon

with precise messages about business risk VOICE OF THE CEO

“In the cyberattack world, it's

In a digital-first world, organizations are constantly combatting adversaries seeking to exploit vulnerabilities
that enable them to access sensitive data. As C-suite executives have become more aware of this risk, CISOs not about pointing fingers at
face a growing need to report cyberthreats to them, establishing a culture of shared responsibility for security one person and blaming them.
management. However, a significant proportion of organizations still need to go further to bring the topic
In our organization, we see it
of security into the boardroom.
as a shared responsibility. Even
with all the policies and tools
Organizations that regularly require CISOs to report to the CEO and board in place, there's still a chance
on their cybersecurity risk and compliance posture that an attack could happen.
We understand there's no

65% Yes 35% No

fool-proof protection against
cyberthreats.”
— CEO, U.S. retail company

The state of application security in 2024 | 4

Despite their growing interest and engagement in their organization’s cybersecurity posture, C-suite executives
have a limited understanding of the risk landscape and different priorities that drive security decisions. As
a result, they don’t always see eye-to-eye with CISOs and the IT department. CISOs urgently need to drive
greater alignment between security teams and the board by elevating the discussion around cybersecurity
from bits and bytes to business risk.

VOICE OF THE CFO

“Explaining the problems or

of CISOs say boards and CEOs focus too heavily on the ability to react to security
77%
incidents and not enough on reducing and preventing risk proactively.
threats our security team has
analyzed to other stakeholders

of CISOs say their board of directors and CEO need to understand their security
or C-suite executives who
83%
posture better so they can assess business risk and compliance requirements. are not directly involved with
security technology is always
75%
of CISOs say their security tools have limited ability to generate insights a concern.”
the CEO and board can use to understand business risk and prevent threats.
— CFO, U.K. education provider

of C-suite executives say security teams often talk in technical terms without
70%
providing business context and believe the CISO is responsible for bridging the gap.

The state of application security in 2024 | 5

CHAPTER TWO

Application security is an Achilles’ heel

Applications remain one of the most common initial access vectors for cyberattacks. In fact, nearly three-quarters
of organizations have experienced a security incident related to one of their applications in the past two years. This has VOICE OF THE CEO
driven application security to the top of the risk management agenda for IT departments and business leaders alike.
“Every industry has stringent
regulations about keeping
data safe. Application
CISOs ranked their organizations’ top priorities for cybersecurity management security is essential for
as the following:* meeting these rules —
GDPR and DSS. If we don’t
do an excellent job securing
1. A
 pplication security 2. C
 risis management 3. I nternal risk management 4. H
 uman error or insider
(i.e., vulnerability and response (i.e., data or oversight (i.e., use threats (i.e., phishing or
our applications, it could
management) breach and media focus) of mobile devices) corporate espionage)
mean significant fines,
a damaged reputation,
and even legal trouble.”
5. T
 hird-party risk 6. D
 isruption to operations 7. R
 egulatory compliance
— CEO, U.S. retail company
management (i.e., cloud (i.e., denial of service or (i.e., HIPAA and PCI DSS)
services or supply chain) system downtime)

*Based on the percentage of respondents that ranked each category as priority 1, 2, or 3

The state of application security in 2024 | 6

72%
of organizations have experienced an application security incident
in the past two years.

The most common costs and effects of these application security incidents include the following:

47% Revenue was affected

43% Operations were disrupted (e.g., service downtime)

36% Regulatory fines were applied

34% A data breach occurred

31% An innovation project was delayed

28% The organization lost market share

25% Customers’ trust was affected

22% The organization came under media scrutiny

The state of application security in 2024 | 7

CISOs have yet to identify a consistent approach to providing the board Security teams report the following key metrics or insights to
with clear insight into their organization’s application security risk
the board and CEO to inform them of application security risk:
posture. This leaves executives blind to the potential effect of vulnerabilities
and makes it difficult to make informed decisions to protect the organization
from operational, financial, and reputational damage.
47% 45%
A precise risk score is attributed to Severity score for critical
any new vulnerability as it emerges, vulnerabilities — e.g., the Common
of CISOs say application security is a blind spot at the CEO based on the impact on our business Vulnerability Scoring System (CVSS)
87%
and board level.

42% 38%
Forecasted cost or business impact Number and type of vulnerabilities
of CISOs say they urgently need to increase the visibility
of an exploited vulnerability in any period
82% of their CEO and board into application security risk to enable
more informed decisions to strengthen defenses.

35% 32%
Time to remediate critical security Number of critical vulnerabilities
vulnerabilities currently live

The state of application security in 2024 | 8

CHAPTER THREE

SolarWinds and MOVEit have given third-party

VOICE OF THE CEO

“We heavily rely on our

risk management new urgency information technology
Organizations rely heavily on software from external providers, which exposes them to additional risk. Following systems and those of our
the widespread impact and response to the SolarWinds and MOVEit security incidents, organizations are urgently vendors across our business
reevaluating their approaches to third-party risk management to better manage the integrity of their software
operations. However, they are
supply chain.
susceptible to various risks
and potential disruptions.

Every organization has altered its approach to third-party risk management in the wake To mitigate such risks
of the SolarWinds and MOVEit incidents. The most common changes include the following: and ensure the continued
reliability of our information
58% 51% systems, we maintain
Implementing third-party risk management (TPRM) Reviewing vendors’ software bill of materials (SBOM)
practices, defining clear security requirements to understand the components and dependencies
rigorous security measures,
and contracts with vendors within software to identify potential risks conduct regular maintenance
and updates, and implement
47% 43% redundancy and backup
Continually monitoring and auditing vendors’ Scrutinizing the way vendors build and test
compliance with security standards like SOC 2 software and ensure they maintain secure
protocols.”
or ISO 27001 coding and patching practices — CEO, U.S. retail and wholesale company

The state of application security in 2024 | 9

 VOICE OF THE CFO

“The CISO connects

the bridge between what
is going on in the IT and
cybersecurity departments
50% 20% and the business. They
provide real-time insights
into the factors of application
of CISOs have not yet brought third-party of CISOs say third-party SBOMs regularly provide
security that might impact
software bills of materials (SBOMs) into their insights that improve risk management.
organization’s risk management practices.
the industry.

For example, in a board

meeting, the CISO translates
It’s not enough to simply know whether a third-party vulnerability exists within an organization’s environment. Security technical vulnerabilities
teams also need to quickly and conclusively determine the extent of exposure and the risk it poses to the business, into an analysis of the
identify whether it has been exploited — and if so, to what effect — and then share that insight with executive leaders.
probable business risks
they might cause.”
— CFO, U.K. education provider

The state of application security in 2024 | 10

 CHAPTER FOUR

Automation across the DevSecOps lifecycle is central

to risk management
As digital innovation accelerates, organizations are increasingly looking to automate processes across the DevOps
and security (DevSecOps) lifecycle to minimize risk and maintain regulatory compliance. This practice will become
even more critical as cybercriminals continue to use AI to create new exploits faster and leverage them at scale
while development teams use those capabilities to speed up software delivery with less manual oversight.

71% 83% 83%

of CISOs say DevSecOps automation of CISOs say DevSecOps automation will be of CISOs say DevSecOps automation is
is critical to ensuring reasonable measures essential to their ability to stay on top of even more important to managing the risk
have been taken to minimize application emerging regulations such as the Securities of vulnerabilities introduced by using AI.
security risk. and Exchange Commission (SEC) cybersecurity
mandate, the Network and Information
Security Directive (NIS2), and the Digital
Operational Resilience Act (DORA).

The state of application security in 2024 | 11

Mature DevSecOps automation practices are essential to organizations’ ability to accelerate innovation. This
capability helps teams to drive consistency in development and security processes while reducing the risk of human
error allowing vulnerabilities to enter production in the first place. However, most organizations are in the early stages
of DevSecOps automation, as teams continue to rely on siloed practices.

VOICE OF THE CFO

“[We] continue to invest in

our people to make sure that

75% 54% they’re skilled to respond

of CISOs say they urgently need to improve of CISOs say their DevSecOps automation
to incidents. We’re also
the maturity of DevSecOps automation. practices are absent or emerging. starting to look at more tools
that automate the process
and help us with managing
incidents so we’re more
efficient and effective in the
processes of how we respond

11% 70% if something goes wrong.”

— CFO, Australian financial services company
of CISOs say their organization has mature of CISOs say the need for multiple
DevSecOps automation practices. application security tools drives operational
inefficiency due to the effort needed to
make sense of disparate sources of data.

The state of application security in 2024 | 12

CHAPTER FIVE

Traditional tools and practices have limited value

in the cloud-native, AI-driven threat landscape
VOICE OF THE CFO
The growing complexity of cloud-native architectures is rendering traditional security tools and practices obsolete. Log-
based security information and event management (SIEM) and extended detection and response (XDR) solutions may “When security teams talk to
have served teams well in the past, but they are unable to keep up with the distributed and dynamic nature of cloud- different teams, they should
native architectures and multicloud environments. As a result, security teams are unable to surface the data-driven
relate to the goals they’re
insights that the CEO and board-level executives need to understand their organization’s risk posture.
trying to achieve rather than
talking about the technical
terms of attacks or different
types of threats or technology
76% 77% 75% solutions we have. It’s about
keeping it basic and using
of CISOs cite the limitations of CISOs say current tools of CISOs cite the business language so people
of security tools for real- such as XDR and SIEM are prevalence of blind spots
can relate.”
time identification of risks unable to manage cloud due to the limitations
in dynamic cloud-native complexity, as they lack or restrictions upon — CFO, Australian financial services company

architectures as the intelligence needed to agent-based security

a key challenge. drive automation at scale. tooling as a key challenge.

The state of application security in 2024 | 13

The increased use of AI within organizations and by those seeking to breach their defenses creates
a further concern. While AI tools can help developers accelerate innovation, they also equip cybercriminals VOICE OF THE CEO

with the means to quickly create and leverage new exploits. As a result, organizations need to modernize their “The risk of AI is anticipated
security practices to enable them to keep up with a more dynamic and unpredictable threat landscape.
to proliferate as [these
technologies] become
inexpensive and more
available. For example,
CISOs’ top concerns relating to the risk of increased AI use
you can fake ChatGPT into
in their organizations include the following:
scripting a code or a message
from anybody requesting
52%
Risk of cybercriminals using AI to create new vulnerability exploits faster
and execute them on a wider scale assistance.

There is also increasing

47% Risk of AI resulting in inappropriate data use, leading to noncompliance confidentiality

apprehensiveness as more
clients raise the issue of
45%
Risk of AI being used to accelerate software development, with less oversight
leading to more security vulnerabilities efficiently distributing
restricted data with AI.”
— CEO, Australian telecommunications company

The state of application security in 2024 | 14

 The use of multiple tools and the reliance on siloed processes also drive inefficiencies. These factors make it
difficult for teams to maintain the end-to-end visibility needed to identify the risk of vulnerabilities and ensure that
exposures are prioritized and dealt with quickly. To protect their applications and data from modern, advanced cyber
threats, organizations need a unified approach to security supported by a platform that drives mature DevSecOps
automation and harnesses AI to deal with distributed data at any scale.

79% 77% 80%

of CISOs say vulnerability management and of CISOs say current tools such as XDR of CISOs say their investments in SIEM and XDR
threat detection, investigation, and response and SIEM lose effectiveness due to silos tools would be better shifted into solutions that
can no longer be siloed processes. across threat detection, investigation, enable intelligent threat detection and response
and response processes. for business-critical cloud applications based on
real-time attack insights.

The state of application security in 2024 | 15

 CONCLUSION

The unique value of Dynatrace

Optimized for cloud-native applications, containers, and Kubernetes, Dynatrace® Application Security, as part of the Dynatrace® platform, automatically
and continuously detects vulnerabilities in applications at runtime. It also provides real-time detection and blocking to protect against injection attacks
that exploit critical vulnerabilities. By unifying observability and security data, it removes blind spots, helps to ensure development teams aren’t wasting
time chasing false positives, and provides the C suite with confidence in the security of their organizations’ applications.

Dynatrace Application Security enables CISOs and their teams to:

Drive a unified observability Identify and remediate Focus on what matters Continuously identify Get fast insights by
and security strategy that exposure risk 95% faster with Davis® AI-assisted exposures with runtime analyzing observability
helps CISOs to engage wider with runtime vulnerability prioritization. Teams receive application protection. and security data. Reduce
C-suite executives, supporting analysis. Know within minutes the precise information Detect and block common the cost of investigating
their effort to improve their when a critical application they need to resolve the attacks on application- alerts from multiple tools to
organization’s overall risk vulnerability is introduced most critical vulnerabilities layer vulnerabilities, such immediately understand the
posture. to production. Confidently first. Davis AI uses security as injection attacks. Protect impact of a security incident,
implement countermeasures intelligence and runtime against critical zero-day attack such as a critical application
and remediate with automated context to determine risk based types while the vulnerability is vulnerability. Quickly verify
analysis of runtime context and on criteria such as internet being remediated. what happened, leverage
security intelligence. exposure. observability context to
analyze the risk or impact,
and access actionable insights
needed to respond effectively.

The state of application security in 2024 | 16

 Methodology and global data summary
This report is based on a global survey of 1,300 CISOs in large enterprises with over 1,000 employees.
It was commissioned by Dynatrace and conducted by Coleman Parkes between March and April 2024.

The sample included 200 respondents in the U.S.; 150 in the Middle East; 100 each in the U.K., France,
Germany, Italy, Spain, Australia, and Japan; and 50 each in Sweden, Benelux, India, Brazil, and Mexico.

It also includes insights from 10 in-depth interviews that Coleman Parkes conducted with CEOs
and CFOs across the U.S., U.K., and Australia in March 2024.

The state of application security in 2024 | 17

U.S. Brazil
Sample base: 200 respondents Sample base: 50 respondents

• 59% of CISOs say there is a regular requirement to report to the CEO and board • 6 4% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

 4% of CISOs say their security tools have limited ability to generate insights
• 7 • 8 0% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Application security (i.e., vulnerability management) 1 — Crisis management and response (i.e., data breach and media focus)
2 — Crisis management and response (i.e., data breach and media focus) 2 — Application security (i.e., vulnerability management)
3 — Human error / insider threats (i.e., phishing or corporate espionage) 3 — Internal risk management / oversight (i.e., use of mobile devices)
Third-party risk management (i.e., cloud services or supply chain)
• 6 6% of organizations have experienced an application security incident in the past
Regulatory compliance (i.e., HIPAA and PCI DSS)
two years.
• 8 4% of organizations have experienced an application security incident in the past
• 8 6% of CISOs say application security is a blind spot at the CEO and board level.
two years.
• 8 4% of CISOs say DevSecOps automation will be essential to their ability to stay on top
• 9 0% of CISOs say application security is a blind spot at the CEO and board level.
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
• 8 2% of CISOs say DevSecOps automation will be essential to their ability to stay on top
• 8 3% of CISOs say DevSecOps automation is even more important to managing the risk
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
of vulnerabilities introduced by AI.
• 92% of CISOs say DevSecOps automation is even more important to managing the risk
• 77% of CISOs have difficulty driving DevSecOps automation due to their reliance
of vulnerabilities introduced by AI.
on multiple application security tools.
• 8 0% of CISOs have difficulty driving DevSecOps automation due to their reliance
• Only 13% of CISOs say their organization has mature DevSecOps automation practices.
on multiple application security tools.

• Only 10% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 18

Mexico U.K.
Sample base: 50 respondents Sample base: 100 respondents

• 5 0% of CISOs say there is a regular requirement to report to the CEO and board • 69% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 6 6% of CISOs say their security tools have limited ability to generate insights • 75% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Application security (i.e., vulnerability management) 1 — Internal risk management / oversight (i.e., use of mobile devices)
2 — Crisis management and response (i.e., data breach and media focus) 2 — Crisis management and response (i.e., data breach and media focus)
3 — Internal risk management / oversight (i.e., use of mobile devices) 3 — Human error / insider threats (i.e., phishing or corporate espionage)

• 5 0% of organizations have experienced an application security incident in the past • 65% of organizations have experienced an application security incident in the past
two years. two years.

• 9 0% of CISOs say application security is a blind spot at the CEO and board level. • 9 0% of CISOs say application security is a blind spot at the CEO and board level.

• 78% of CISOs say DevSecOps automation will be essential to their ability to stay on top • 8 4% of CISOs say DevSecOps automation will be essential to their ability to stay on top
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA. of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.

• 92% of CISOs say DevSecOps automation is even more important to managing the risk • 7 9% of CISOs say DevSecOps automation is even more important to managing the risk
of vulnerabilities introduced by AI. of vulnerabilities introduced by AI.

• 6 4% of CISOs have difficulty driving DevSecOps automation due to their reliance • 8 2% of CISOs have difficulty driving DevSecOps automation due to their reliance
on multiple application security tools. on multiple application security tools.

• Only 16% of CISOs say their organization has mature DevSecOps automation practices. • Only 8% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 19

France Germany
Sample base: 100 respondents Sample base: 100 respondents

• 6 8% of CISOs say there is a regular requirement to report to the CEO and board • 71% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 72% of CISOs say their security tools have limited ability to generate insights • 76% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Application security (i.e., vulnerability management) 1 — Internal risk management / oversight (i.e., use of mobile devices)
2 — Crisis management and response (i.e., data breach and media focus) 2 — Application security (i.e., vulnerability management)
3 — Internal risk management / oversight (i.e., use of mobile devices) 3 — Disruption to operations (i.e., denial of service or systems downtime)

 4% of organizations have experienced an application security incident in the past

• 7 • 7 9% of organizations have experienced an application security incident in the past
two years. two years.

• 81% of CISOs say application security is a blind spot at the CEO and board level. • 9 0% of CISOs say application security is a blind spot at the CEO and board level.

• 8 9% of CISOs say DevSecOps automation will be essential to their ability to stay on top • 8 4% of CISOs say DevSecOps automation will be essential to their ability to stay on top
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA. of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.

• 77% of CISOs say DevSecOps automation is even more important to managing the risk • 93% of CISOs say DevSecOps automation is even more important to managing the risk
of vulnerabilities introduced by AI. of vulnerabilities introduced by AI.

• 73% of CISOs have difficulty driving DevSecOps automation due to their reliance • 8 3% of CISOs have difficulty driving DevSecOps automation due to their reliance
on multiple application security tools. on multiple application security tools.

• Only 11% of CISOs say their organization has mature DevSecOps automation practices. • Only 9% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 20

Italy Spain
Sample base: 100 respondents Sample base: 100 respondents

• 6 4% of CISOs say there is a regular requirement to report to the CEO and board • 6 8% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 71% of CISOs say their security tools have limited ability to generate insights • 73% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Application security (i.e., vulnerability management) 1 — Internal risk management / oversight (i.e., use of mobile devices)
2 — Crisis management and response (i.e., data breach and media focus) 2 — Third-party risk management (i.e., cloud services or supply chain)
3 — Internal risk management / oversight (i.e., use of mobile devices) 3 — Crisis management and response (i.e., data breach and media focus)
Disruption to operations (i.e., denial of service or systems downtime)
• 76% of organizations have experienced an application security incident in the past
• 72% of organizations have experienced an application security incident in the past two years.
two years.
• 8 6% of CISOs say application security is a blind spot at the CEO and board level.
• 91% of CISOs say application security is a blind spot at the CEO and board level.
• 78% of CISOs say DevSecOps automation will be essential to their ability to stay on top
• 8 2% of CISOs say DevSecOps automation will be essential to their ability to stay on top of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
• 8 2% of CISOs say DevSecOps automation is even more important to managing the risk
• 8 3% of CISOs say DevSecOps automation is even more important to managing the risk of vulnerabilities introduced by AI.
of vulnerabilities introduced by AI.
• 76% of CISOs have difficulty driving DevSecOps automation due to their reliance
• 8 2% of CISOs have difficulty driving DevSecOps automation due to their reliance on multiple application security tools.
on multiple application security tools.
• Only 17% of CISOs say their organization has mature DevSecOps automation practices.
• Only 10% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 21

Sweden Benelux
Sample base: 50 respondents Sample base: 50 respondents (32 Netherlands, 10 Belgium, 8 Luxembourg)

• 5 8% of CISOs say there is a regular requirement to report to the CEO and board • 62% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 6 8% of CISOs say their security tools have limited ability to generate insights • 8 2% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Internal risk management / oversight (i.e., use of mobile devices) 1 — Crisis management and response (i.e., data breach and media focus)
2 — Third-party risk management (i.e., cloud services or supply chain) 2 — Human error / insider threats (i.e., phishing or corporate espionage)
3 — Human error / insider threats (i.e., phishing or corporate espionage) 3 — Third-party risk management (i.e., cloud services or supply chain)
Crisis management and response (i.e., data breach and media focus)
• 76% of organizations have experienced an application security incident in the past
• 72% of organizations have experienced an application security incident in the past two years.
two years.
• 8 2% of CISOs say application security is a blind spot at the CEO and board level.
• 8 4% of CISOs say application security is a blind spot at the CEO and board level.
• 8 4% of CISOs say DevSecOps automation will be essential to their ability to stay on top
• 8 2% of CISOs say DevSecOps automation will be essential to their ability to stay on top of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
• 72% of CISOs say DevSecOps automation is even more important to managing the risk
• 78% of CISOs say DevSecOps automation is even more important to managing the risk of vulnerabilities introduced by AI.
of vulnerabilities introduced by AI.
• 72% of CISOs have difficulty driving DevSecOps automation due to their reliance
• 6 4% of CISOs have difficulty driving DevSecOps automation due to their reliance on multiple application security tools.
on multiple application security tools.
• Only 2% of CISOs say their organization has mature DevSecOps automation practices.
• Only 12% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 22

Middle East Australia
Sample base: 150 respondents (65 UAE, 46 Saudi Arabia, 20 Kuwait, 19 Qatar) Sample base: 100 respondents

• 73% of CISOs say there is a regular requirement to report to the CEO and board • 6 4% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 77% of CISOs say their security tools have limited ability to generate insights • 76% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Internal risk management / oversight (i.e., use of mobile devices) 1 — Application security (i.e., vulnerability management)
2 — Third-party risk management (i.e., cloud services or supply chain) 2 — Third-party risk management (i.e., cloud services or supply chain)
3 — Human error / insider threats (i.e., phishing or corporate espionage) 3 — Disruption to operations (i.e., denial of service or systems downtime)
Crisis management and response (i.e., data breach and media focus)
• 72% of organizations have experienced an application security incident in the past
• 76% of organizations have experienced an application security incident in the past two years.
two years.
• 8 9% of CISOs say application security is a blind spot at the CEO and board level.
• 87% of CISOs say application security is a blind spot at the CEO and board level.
• 87% of CISOs say DevSecOps automation will be essential to their ability to stay on top
• 8 0% of CISOs say DevSecOps automation will be essential to their ability to stay on top of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
• 8 5% of CISOs say DevSecOps automation is even more important to managing the risk
• 81% of CISOs say DevSecOps automation is even more important to managing the risk of vulnerabilities introduced by AI.
of vulnerabilities introduced by AI.
• 8 0% of CISOs have difficulty driving DevSecOps automation due to their reliance
• 7 9% of CISOs have difficulty driving DevSecOps automation due to their reliance on multiple application security tools.
on multiple application security tools.
• Only 8% of CISOs say their organization has mature DevSecOps automation practices.
• Only 10% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 23

Japan India
Sample base: 100 respondents Sample base: 50 respondents

• 6 4% of CISOs say there is a regular requirement to report to the CEO and board • 5 8% of CISOs say there is a regular requirement to report to the CEO and board
on their cybersecurity risk and compliance posture. on their cybersecurity risk and compliance posture.

• 76% of CISOs say their security tools have limited ability to generate insights • 76% of CISOs say their security tools have limited ability to generate insights
the CEO and board can use to understand business risk and prevent threats. the CEO and board can use to understand business risk and prevent threats.

• C
 ISOs ranked their organizations’ top priorities for cybersecurity management • C
 ISOs ranked their organizations’ top priorities for cybersecurity management
as the following:* as the following:*
1 — Application security (i.e., vulnerability management) 1 — Disruption to operations (i.e., denial of service or systems downtime)
2 — Crisis management and response (i.e., data breach and media focus) 2 — Application security (i.e., vulnerability management)
3 — Internal risk management / oversight (i.e., use of mobile devices) 3 — Crisis management and response (i.e., data breach and media focus)
Internal risk management / oversight (i.e., use of mobile devices)
• 73% of organizations have experienced an application security incident in the past
two years. • 70% of organizations have experienced an application security incident in the past
two years.
• 8 8% of CISOs say application security is a blind spot at the CEO and board level.
• 8 2% of CISOs say application security is a blind spot at the CEO and board level.
• 77% of CISOs say DevSecOps automation will be essential to their ability to stay on top
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA. • 9 0% of CISOs say DevSecOps automation will be essential to their ability to stay on top
of emerging regulations such as the SEC cybersecurity mandate, NIS2, and DORA.
• 8 4% of CISOs say DevSecOps automation is even more important to managing the risk
of vulnerabilities introduced by AI. • 76% of CISOs say DevSecOps automation is even more important to managing the risk
of vulnerabilities introduced by AI.
• 78% of CISOs have difficulty driving DevSecOps automation due to their reliance
on multiple application security tools. • 8 4% of CISOs have difficulty driving DevSecOps automation due to their reliance
on multiple application security tools.
• Only 15% of CISOs say their organization has mature DevSecOps automation practices.
• Only 4% of CISOs say their organization has mature DevSecOps automation practices.

The state of application security in 2024 | 24

Automatic and intelligent observability
for hybrid multiclouds
We hope this ebook has inspired you to take the next step in your digital journey. Dynatrace is committed
to providing enterprises the data and intelligence they need to be successful with their enterprise cloud
and digital transformation initiatives, no matter how complex.

Learn more If you are ready to learn more, please visit www.dynatrace.com/platform for assets, resources, and a free 15-day trial.

Dynatrace (NYSE: DT) exists to make the world’s software work perfectly. Our unified platform combines broad and deep observability and continuous runtime application security with the most advanced AIOps to provide answers
and intelligent automation from data at enormous scale. This enables innovators to modernize and automate cloud operations, deliver software faster and more securely, and ensure flawless digital experiences. That’s why the
world’s largest organizations trust the Dynatrace® platform to accelerate digital transformation.
Curious to see how you can simplify your cloud and maximize the impact of your digital teams? Let us show you. Sign up for a free 15-day Dynatrace trial.

blog @dynatrace

04.30.24 BAE12013_EBK_cs