A global survey of 1,500 C-suite and senior executives published today finds about half (49%) concede their organization lacks the visibility needed to fully understand – or even identify – software supply chain risks.

Conducted by the market research firm FT Longitude on behalf of LevelBlue, a managed security services provider (MSSP), the report also finds that 80% of those respondents reporting their organization experienced a breach in the last 12 months, compared to 6% of respondents with high visibility that experienced a breach.

Overall, the survey finds that only 23% of respondents are confident they have high visibility into their organization’s software supply chain.

Theresa Lanowitz, chief evangelist for LevelBlue, said the survey makes it clear that while progress securing software supply chains has been made in recent years, there is clearly still much work to be done.

In fact, 40% of CEOs said they believe that their organization’s software supply chain represents the biggest security risk to the organization, compared with 29% of CIOs and 27% of CTOs who agreed, according to the survey.

Despite that level of concern, however, only a quarter of respondents (25%) said their organization plans to prioritize engaging with software suppliers about security credentials in the next 12 months.

In general, organizations that have low visibility into their software supply chains need to define a set of key performance indicators (KPIs) that should be tracked, said Lanowitz. Armed with those insights, it then becomes possible to operationalize the software bill of materials (SBOMs) that many organizations are now starting to collect to comply with various regulations, she noted.

The challenge then becomes acquiring the data analytics capability needed to turn all that information into a set of actionable insights, added Lanowitz.

On the plus side, the LevelBlue survey of senior executives echoes similar surveys of cybersecurity leaders. A survey of 110 security leaders conducted by The Futurum Group, for example, finds all are investing in software supply chain security, with application security posture management (ASPM) and DevSecOps automation and orchestration topping the priority list, followed closely by security composition analysis (SCA) tools, application programming interface (API) security and dynamic application security testing (DAST) tools.

In addition, 30% of respondents expect to be piloting a software bill of materials (SBOM) initiative in the next 24 months, the survey finds.

However, the source of the funding for these initiatives is becoming more of a shared responsibility, with only 21% of respondents reporting that security budgets are the sole source. In fact, half of the respondents (50%) noted that application development teams now own responsibility for application security.

Overall, only 25% of respondents said there is limited collaboration with application development teams, resulting in occasional friction, compared to 59% that said there is good collaboration with room for improvement. Only 16% said there is a tight partnership based on shared goals.

Hopefully, software supply chain security in the months ahead will continue to steadily improve faster than the rate at which cybercriminals are becoming more adept at exploiting vulnerabilities that each passing day only seem to continue to multiply.