CloudBees released the company's annual CloudBees Global C-Suite Security Survey report that finds security and compliance challenges are a significant barrier to most organizations' innovation strategies. The survey also reveals agreement among C-suite executives that a shift left security strategy is a burden on development teams.

Three quarters of C-suite executives say that compliance challenges (76%) and security challenges (75%) limit their company's ability to innovate. This is due, in part, to the significant time spent on compliance audits, risks and defects. At the same time, C-suite executives overwhelmingly favor a shift left approach, a strategy of moving software testing and evaluation to earlier in the development lifecycle, placing the burden of compliance on development teams. In fact, 83% of C-suite executives say the approach is important for them as an organization, and 77% say they are currently implementing a shift left security and compliance approach. This is despite 58% of C-suite executives reporting that shift left is a burden on their developers.

"These survey findings underscore the urgent need to transform the software security and compliance landscape. As DevOps matures, security and compliance have taken center stage as a source of significant friction," said Prakash Sethuraman, chief information security officer, CloudBees. "While shift left is a popular talking point, it is not yielding the desired results. Instead, it is further burdening development teams and taking their attention away from value-added work. What's needed is a new mindset and a fresh approach, one in which security and compliance are continuous and actually speed innovation."

The survey also revealed a drop in the confidence of software supply chain security and compliance, as well as a greater focus in this area. In 2022, 88% of executives say their software supply chain is secure or very secure, down from 95% in 2021. Additionally, 33% note their software supply chain to be completely compliant - a decrease of 19% from the previous year. Further, among the C-suite, 86% are focusing more on compliance now than two years ago, and 82% express more concern about attacks.

The survey also finds:

• Regional differences regarding confidence in compliance and security. The survey finds U.S. C-suite executives think the most about security and compliance, yet those in Spain and the U.K. spend the most time on compliance. German executives demonstrate the lowest level of confidence among executives surveyed with 23% saying their software supply chain is not secure.
• When given the choice between speed and security, security wins. More than three quarters of C-suite executives say it is more important to be secure and compliant than fast and compliant.
• C-suite executives have confidence in their teams. Nine in ten C-suite executives say their risk management team has the tools, knowledge and expertise to build and/or maintain a secure software supply chain.
• Automation is helpful, but not available for all. Only 22% of C-suite executives say their software delivery supply chain is completely automated and 37% say it is close to being automated. Similarly, 22% say their compliance process is completely automated and 35% say it is almost completely automated.
• When it comes to tools, it's a mixed bag. Three in five (59%) executives say they have all, or mostly all, external tools for security and compliance issues, and 29% say they have a mix of internal and external tools. Only 11% use mostly internal tools.