Close this search box.

Addressing supply chain security compliance obligations

supply chain security

A new study reveals that over a third of UK organisations see software supply chain security as the biggest risk to their business.

In the midst of no fewer than four best-practice guides, two communications from the US federal government, and hundreds of headlines focusing on the software supply chain, it’s no surprise that organisations are finding it hard work to keep up with the deadlines, let alone the fine print.

A new by Aqua Security found that more than a third of UK organisations believe inadequate software supply chain security is the biggest security risk to their business, with new regulations and cloud native security among their top concerns. 

The survey was conducted at Cloud Expo Europe 2023 and gathered insights from 100+ cloud professionals who attended the event. Compared with a similar survey conducted at the same event in 2022, the results indicate an increase of 18.6 per cent from the previous year to 36.9 per cent of respondents believing supply chain security to be the biggest security risk to their business. Overall, there has been some improvement over the last 12 months in understanding cloud native security risks, but there is heightened confusion over new regulations, and significant fears in regards to supply chain security. 

Almost half of respondents chose open-source vulnerabilities as their main software supply chain concern.  34 per cent of organisations now have a Cloud Native Security strategy in place for 2023, compared to 21.2 per cent in 2022. Barriers to effective Cloud Native Security included lack of understanding (42.7 per cent), limited or lack of budget (38.8 per cent) and perceived difficulty of implementation (29.1 per cent) 

“High-profile supply chain attacks have likely drawn organisations’ attention to an issue that has slowly been festering over the last few years,” explained Rani Osnat, SVP of strategy at Aqua Security. “Hopefully, greater concern will lead to greater action, and organisations will implement true end-to-end security solutions to keep their software supply chain secure.” 

New regulations causing concern

New compliance obligations in regards to supply chain security, such as Executive Order 14028 in the U.S., were a cause for concern for many respondents. But only 36.9 per cent were confident in their ability to adopt new guidelines or frameworks. Furthermore, few organisations planned to implement supply chain security standards – only 22.3 per cent were planning to adopt SBOM standards such as CycloneDX or SPDX, and only 10.7 per cent were planning to implement NIS2 guidelines.  

Despite their concerns, the survey did indicate that progress has been made over the last year when it comes to Cloud Native Security. Thirty four per cent of organisations now have a Cloud Native Security strategy in place for 2023, compared to just 21.2 per cent in 2022. Furthermore, there was an increase in the number of organisations that indicated responsibility for Cloud Native Security sits with both IT Security and DevOps teams, up to 28.2 per cent per cent. 

Understanding and awareness also appears to have increased, with 46.6 per cent of respondents familiar with the term CNAPP (Cloud Native Application Protection Platform), the cloud native security category introduced by analyst firm Gartner, a 47 per cent increase over the previous year. Furthermore, the number of respondents who cited a lack of understanding as a barrier to a successful Cloud Native Security Strategy decreased by 12.9 per cent from last year, to 42.7 per cent. 

However, there are still some significant barriers to effective Cloud Native Security. Limited, or lack of budget was cited as an obstacle by nearly 38.8 per cent of respondents, and 29.1 per cent stated that they thought Cloud Native Security was complicated or hard to implement.  

Osnat concluded: “It’s encouraging to see progress in the UK on Cloud Native Security awareness. With Gartner estimating that more than 95 per cent of new apps will be deployed on cloud-native platforms by 2025, it’s vital that this becomes a key security priority. More must still be done to ensure that security and DevOps teams are armed with the knowledge and solutions needed to stop Cloud Native attacks across the application lifecycle.” 

CTS The industrialisation of IT
CTS - Industrialisation of IT
Related Posts
CTS The industrialisation of IT
Others have also viewed

UK businesses see boosting connectivity as integral to growth

Study reveals a great opportunity for alternative network providers (AltNets) to meet growing demand for ...

Germany Energy Efficiency Act demonstrates importance of data centre supply chain collaboration

Following the signing into law of Germany’s Energy Efficiency Act (EnEfG), energy solutions specialist Aggreko ...

Systemair look to Infor’s cloud solution to deliver more sustainable products

Systemair is moving its core business system to Infor CloudSuite Manufacturing, aiming at smoother integration ...
Data Centre

Vertiv collaborates with Intel on liquid cooled solution

Vertiv is collaborating with Intel to provide a liquid cooling solution that will support the ...