Closing the gap between AppSec intent and implementation
For many years, application security (AppSec) occupied a small technical niche within cybersecurity and was rarely seen as a critical boardroom-level priority. Today, though, we can see awareness shifting.
In recent research conducted by Checkmarx, nearly half of CISOs said they believe buyers now factor AppSec into purchasing decisions, showing its increased strategic weight in business operations.
Yet there’s still a stark disconnect between how AppSec is seen and how it’s put into practice. Just 39% of respondents felt that their business operations currently run on secured applications.
With AppSec now recognized as critical to business resilience, it often falls short in execution. To close the implementation gap, CISOs must lead a charge in rethinking governance, culture, and scale.
VP Portfolio Marketing, Checkmarx.
AppSec ownership is shifting but visibility is suffering
As software development cycles accelerate and architectures grow more complex, security responsibilities are moving closer to the code, and in nearly half of software-based companies, security oversight has moved outside the CISO’s office.
Instead, our research found that development or product teams are now just as likely to own AppSec decisions. This shift makes operational sense: embedding security earlier in the SDLC enables scalable protection without sacrificing delivery speed, but it can introduce visibility gaps across teams and pipelines.
Decentralizing AppSec typically introduces fragmentation. On average, organizations juggle more than 11 security tools, many of which are not integrated into a coherent workflow. Without central oversight, CISOs risk losing track of how security is being applied – or where it’s falling short. Inconsistent practices, “shadow security” workarounds, and gaps in coverage become more likely when security policies aren’t uniformly applied.
This shift also alters the flow of influence within the company. Developers increasingly have veto power over tools that interrupt their workflows, which means security can take a back seat if the two teams aren’t able to collaborate effectively.
If AppSec is to scale effectively, governance must evolve along with it. That means enabling secure practices without enforcing bottlenecks and without losing visibility in the process. CISOs have a critical role to play here, ensuring that security is implemented smoothly as a set of guardrails rather than roadblocks.
DevSecOps maturity remains low
Despite the push for “shift left” practices and the proliferation of AppSec tools, most organizations lack maturity in their security integration. Of the CISOs in our research just 20% reported “high” or “very high” DevSecOps maturity. Meanwhile, 70% said that at least half of their applications still lack adequate security coverage. This is an alarmingly high figure when considering how important applications have become to most operations.
Part of the problem is that early-stage security integration doesn’t extend far enough. Many teams focus on scanning during development but neglect the runtime and deployment phases where vulnerabilities can still emerge. Others adopt tools without embedding them into daily workflows, leading to alert fatigue or missed risks.
A lack of training also compounds the issue. Developers are not typically trained in security practices and often lack the context or time to triage and fix security findings. This is made even more challenging when results are delivered through disconnected tools or outside their environment. The result is a culture of firefighting, responding to issues late in the lifecycle instead of designing resilient code from the start.
To close the maturity gap, organizations must adopt a layered approach: automated scanning at every stage, context-aware training, and close collaboration between platform engineering and AppSec teams. Maturity isn’t an issue of coverage, it’s about consistency, scalability, and trust between disciplines.
What CISOs must prioritize in 2025
CISOs are best placed to close the gap between strategy and execution in AppSec. Achieving this requires a new strategy built around four key factors: governance, collaboration, alignment and scalability.
Setting down governance
CISOs can no longer manage AppSec through centralized control alone. Instead, they must define a clear governance model for their teams, setting policies, KPIs and risk thresholds that can be embedded into automated workflows.
That means guiding platform teams to select tools that enforce policies programmatically, reducing the need for manual intervention. Security should be part of the pipeline, not a separate gate at the end of it.
Fostering collaboration
With ownership moving closer to developers, CISOs need to use their influence to establish a strong collaborative culture that works for everyone. Start by aligning KPIs across security and development teams to avoid competing incentives.
Then invest in enablement: training tailored to different skill levels, just-in-time guidance, and workflows that stay inside the IDE. Security champions and mentor programs can speed up cultural change, embedding expertise where it matters most.
AppSec risk is business risk
We consistently find that too few CISOs are translating AppSec risks into business terms. While 62% report metrics to the board, only 25% frame those risks in terms of business impact, such as reputational damage, regulatory exposure or lost revenue.
Without this alignment, security will remain a siloed concern until it’s too late and a breach occurs. CISOs must strengthen the AppSec link to wider business goals, reinforcing its role in customer trust, product resilience and competitive differentiation.
Driving scalability with the right technology
Fragmented tooling is one of the biggest barriers to effective AppSec. Consolidating around a platform approach that spans legacy and modern environments enables consistency, reduces noise and enhances developer productivity.
Scalable models should use automation where possible, with human input where needed. That’s how you keep pipelines moving fast – without losing control or visibility over security.
Taking AppSec from bottleneck to enabler
AppSec’s evolution from technical concern to business priority is undeniable, but implementation still lags. As ownership shifts to development teams, the role of the CISO must also evolve to keep security front and centre.
The challenge is no longer about control, but coordination. Governance, culture and technology must all align to embed security where it counts without creating friction. CISOs who lead with vision, build developer trust and champion scalable solutions can transform AppSec from a potential bottleneck into a force multiplier for resilience, speed and long-term business value.
We feature the best DevOps tools.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro