CISOs don’t invest enough in code security
72% of security leaders agree that the age of AI necessitates a complete reset of how organizations approach application security, according to Cycode.
This urgency is reinforced by the fact that 93 billion lines of code were generated in the past year alone, driven in large part by GenAI. This explosion of code is clearly overwhelming security teams, with 73% of security leaders confirming that “code is everywhere.”
“IDC’s latest DevSecOps research highlights that insecure AI-generated code ranks among the top application security challenges for organizations in 2024, aligning with Cycode’s insights. This underscores the rising importance of code security as a cornerstone of application security strategies for 2025,” said Katie Norton, Research Manager at IDC. “As development and threat environments grow more complex, strengthening code security is crucial to safeguarding innovation efforts.”
Top security challenges driving budget increases
According to Cycode, 59% of respondents say today’s attack surface is completely unmanageable, with GenAI emerging as the #1 blindspot, followed by the exponential growth in code. Given these challenges, it’s not surprising that 63% of respondents believe CISOs aren’t investing enough in code security.
In response, security budgets are projected to grow by an average of 50% over the next 12 months.
This reflects the true scale of the challenge ahead. But, as the report highlights, the average enterprise is already using 50 security tools, slightly more than was reported last year. This increasing tool sprawl is creating significant operational challenges, including an overall lack of visibility into security and risk posture, alert fatigue, and difficulties in fostering collaboration between security and development teams.
90% of respondents from organizations with over 61 security tools report a lack of understanding as to where their security budget is being spent. This challenge is compounded by a massive talent gap in cybersecurity, which tool sprawl further worsens, leaving organizations struggling to effectively manage and secure their complex IT environments.
Too many tools requires specialist skills
83% of security professionals surveyed agree that having too many tools requires specialist skills, and that skills are increasingly difficult to find due to the ongoing cybersecurity talent gap. This is of course compounded by the shortage of cyber professionals. It’s no wonder 65% of respondents said that balancing AppSec needs with the talent shortage is challenging.
Security professionals are increasingly aware of the perils of tool sprawl, with 88% confirming plans to consolidate their AppSec tools into a single platform within the next 12 months.
“The market is sending a clear signal: it’s time to reset and rethink how we approach application security,” said Lior Levy, Cycode’s Co-founder and CEO. “Organizations are investing more in code security than ever before, yet challenges like tool sprawl and an unmanageable attack surface persist. We’re at a critical inflection point and we don’t believe organizations should have to choose between innovation and security.”
Among those already using an Application Security Posture Management (ASPM) platform, 90% report a significant improvement in their ability to understand and manage overall risk, enabling them to prioritize the most critical vulnerabilities. Furthermore, a remarkable 97% have seen a positive impact on collaboration between security and development teams.
The research is based on an independent, vendor-agnostic survey of 700 CISOs, AppSec Directors, and DevSecOps managers across the US, UK, and Germany.