75% of Firms Push Vulnerable Code as CISO Pressure Mounts
▼ Summary
– 95% of CISOs reported pressure from other business parts to deprioritize or delay reporting of security issues, leading 75% of organizations to knowingly deploy vulnerable code.
– 30% of organizations deployed vulnerable code believing compensating controls mitigated risk, while 27% did so to meet business or security deadlines, and 27% only detected the vulnerability after deployment.
– 30% of respondents admitted hoping vulnerabilities would not be discovered, and 27% said fixing them was too difficult or time-consuming.
– Only 9% of organizations fix over 90% of vulnerabilities within 90 days, while nearly a third remediate fewer than half in that timeframe, leaving systems exposed.
– The report calls for a new security model combining deterministic precision with human-guided remediation, warning that AI alone adds risk and cannot secure code.
A staggering 95% of CISOs have reported feeling pressure from other business units to deprioritize or delay reporting on security issues, particularly when critical business deadlines loom. This finding, from a June 8 report by Checkmarx, underscores a growing tension between security teams and the rest of the organization.
The consequences of this pressure are significant. According to the survey, 75% of organizations have knowingly deployed vulnerable code into a production environment. When asked why, 30% cited confidence in compensating controls to mitigate the risk, 27% said it was necessary to meet a business or security deadline, and another 27% admitted the vulnerability was only discovered after deployment.
The data also reveals a troubling mindset around risk acceptance. Nearly a third of respondents (30%) said they simply hoped the vulnerability would not be discovered, while 27% described the fix as too difficult or time-consuming to implement. This comes at a time when many organizations are rapidly adopting AI-generated code, which boosts efficiency but also introduces new risks from undetected errors or vulnerabilities.
“This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it,” said Sandeep Johri, CEO of Checkmarx. “Just like the student cannot grade their own exam, AI alone cannot secure code – and, as the research shows, it adds risk.” Johri called for a completely new security model that blends deterministic precision with probabilistic reasoning.
The research also highlights a critical remediation gap. Only 9% of organizations manage to fix over 90% of vulnerabilities within 90 days. Nearly a third remediate fewer than half within that same timeframe. “Every day a known vulnerability sits unpatched is a day the door is unlocked,” the report warned, noting that the mean time to exploit has collapsed to mere minutes.
Despite these challenges, the report found a sense of optimism among security leaders. Many organizations are now strengthening governance, especially around AI, and working to reduce fragmentation across tools, teams, and processes. The findings are based on responses from 2,350 CISOs, AppSec managers, and developers across 14 countries.
(Source: Infosecurity Magazine)
