DEVOPSdigest

Almost half (49%) of CISOs say buyers now factor application security (AppSec) into purchasing decisions, according to A CISO's Guide to Steering AppSec in the Age of DevSecOps, a report from Checkmarx.

In fact, in nearly half of software-based product companies, security oversight has moved outside the CISO's office entirely.

As application complexity and scale grow — driven by AI, microservices and hybrid application architectures — engineering teams are increasingly accountable for ensuring secure, scalable delivery. With faster release cycles and expanding code bases, AppSec decisions and budgets are shifting toward development teams to embed security earlier and more efficiently in the development process.

"We're witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue," said Checkmarx Chief Product Officer Jonathan Rende. "As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track."

Key Finding: Application Security is Crucial to Purchasing Decisions

CISOs responding from industries including banking and finance, media, insurance, software, manufacturing and the public sector revealed that robust AppSec programs and practices remain a strong differentiator in their customers' buying decisions. Key data points include:

■ 49% of respondents report that buyers regularly consider application security in purchasing decisions.

■ 24% indicated that application security is "always" a factor in those decisions.

■ This trend is most pronounced in Europe, where 58% of respondents report that security is "always" a factor, compared to 33% in the Asia Pacific region and only 8% in North America.

The Checkmarx study also found that decision-making is becoming increasingly decentralized, with development teams more often influencing security practices and even owning budget authority. The study revealed that:

■ In organizations developing software-based products responsibility is split, 50% of organizations assign security responsibility to CISOs while 43% move security oversight to development teams.

■ 56% of organizations say that most of their development teams are fully integrated with AppSec programs.

Rende added, "As security responsibility migrates toward development teams, so does the funding. That's why CISOs today need to lead with influence, creating guardrails, not roadblocks."

Security's Role in the Boardroom Remains Inconsistent

The study report highlights a persistent gap in how security is communicated at the executive level. While 62% of CISOs report AppSec metrics to their board, most focus solely on vulnerability counts, with only 25% tying those risks to business outcomes like brand reputation or regulatory exposure. This disconnect underscores the urgency for CISOs to frame security in terms of business risk — a prerequisite for securing sustained buy-in at the executive level.

Methodology: Performed in collaboration with Global Surveyz, researchers surveyed CISOs at organizations with annual revenues exceeding $750 million and development teams of at least 180 developers. Participants spanned the US, Canada, Western Europe and the APAC region.