When it comes to application security within organizations, there's a significant gap about it between executives and practitioners, according to a study released Tuesday by the Ponemon Institute and Security Innovation.
While a majority of executives (67%), directors (64%) and managers (58%) believe their company's application security program is mature, less than a third of technicians (27%) and staff (33%) buy into that perception, according to the study.
Executives see their organizations' application security program as far more mature than those at the managerial level and below, the study found. "This may be due to poor communication and collaboration among the different roles involved in application security.
"Such misalignment of priorities makes it difficult for practitioners to obtain the resources necessary to invest in application security and make it an integral part of the overall risk management strategy," the study said.
The disconnect in perceptions means organizations may not always get the best bang for their security buck. "It may be why we're spending more dollars on areas of lower risk," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an interview.
"For example," he continued, "network security is still the largest ticket item in the security arsenal and application security is relatively low, even though many practitioners view the application layer as presenting a higher risk than the network layer or other parts of the security infrastructure."
Ed Adams, president and CEO of Security Innovation, an application security company, said the software layer, by far, has the most security vulnerabilities -- more than the network layer, more than the operating system layer.
"Yet, you've got the majority of the IT security spend going into fire walls and intrusion detection systems and intrusion prevention systems," Adams said in an interview.
Perception discrepancies may help explain why security problems constantly nag applications used by companies, he added. "You've got the folks who are actually doing the work saying two out of three times, 'No, we do not have a mature applications security program,'" he said. "Yet, the executives and directors who own the budget, two out of three of them think they do have a mature application security program.
"This perception gap is, to me, telling of why we have so many problems with software applications continuing to be hacked," Adams said. "You've got management not really having a clue of what's going on with software development.
A similar perception chasm appears relative to training. Most executives (71%) and directors (66%) said they believed their organization's internal training and education programs were being updated to ensure that development teams can handle the latest threats, application security policies and best practices. Only one in five technicians (19%) and staff (20%) agreed with the brass on that subject.
Sign up for Computerworld eNewsletters.