AppSec Just Got a New Boss — And It’s Not the Security Team!

Security is becoming a key factor in purchasing decisions, particularly across Europe, where it’s now seen as a competitive differentiator. At the same time, responsibility for security is shifting from centralized teams to developers and product groups, which reflects the growing influence of DevSecOps.

According to the Checkmarx’ annual report, this survey was conducted based on the responses of 200 chief information security officers (CISOs) from across different industries and regions. 49 percent of CISOs report that buyers regularly consider application security when making purchasing decisions. 25 percent of CISOs say that application security is always a factor in purchasing decisions.

The research study also found that 43 percent of product teams are now responsible for security software, which indicates a shift from centralized security teams to development and product teams. This change reflects the rise of DevSecOps, where security is integrated into the development lifecycle. Moreover, 38% of CISOs report they do not have direct visibility at the board level, and this problem can hinder strategic alignment and investment in security.

Fortunately, application security budgets are increasing in enterprise environments. In 2023, 78 percent of CISOs reported an increase in their application security (AppSec) funding, with 40 percent describing the boost as substantial. Over 70 percent of respondents expect their budgets to grow again this year, and one in four anticipate a significant jump.

In Europe, 56% of CISOs in Europe reported a notable rise in their AppSec funding. On the other hand, only about one-third of CISOs in North America and Asia-Pacific reported similar levels of budget growth.

“We’re witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue,” said Checkmarx Chief Product Officer Jonathan Rende. “As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track.”

What are the challenges in AppSec implementation?

The Checkmarx 2025 CISO report outlines several key challenges that organizations face when it comes to AppSec.

• Most developers lack the training and tools to write secure code effectively.
• Security teams often face limited budgets, staff shortages, and tight deadlines.
• 38% of CISOs say they lack direct access to the board, which limits their ability to secure funding or influence strategic decisions.
• Many organizations use multiple security tools that don’t integrate well with each other or with development pipelines. This problem causes inefficiencies, alert fatigue, and missed vulnerabilities.

Recommendations for IT leaders

a. Define a clear governance structure

IT leaders should establish well-defined governance frameworks that clarify roles, responsibilities, and decision-making authority across security, development, and product teams. This problem should help to reduce confusion and ensure accountability throughout the software lifecycle.

b. Align security with business objectives

It’s also recommended that organizations integrate security goals with broader business strategies. They should treat application security as a business enabler that supports innovation, customer trust, and competitive advantage.

c. Foster a culture of shared responsibility

Security is a shared responsibility and it’s not just the job of the security team. IT leaders are advised to encourage developers, product managers, and operations teams work together to maintain secure practices.

d. Use metrics to drive accountability

Organizations should adopt metrics that reflect both technical and business impact. These include risk exposure, time to remediate vulnerabilities, and developer adoption of security tools.

e. Continuously evolve governance models

It’s also recommended that IT leaders must regularly review and update their policies, tools, and processes. This process should help them to stay aligned with emerging risks and development practices.

Overall, the Checkmarx 2025 CISO report highlights a major shift in application security, where it’s important to align governance, developer empowerment, and business. It’s advised that IT leaders must promote a culture of shared responsibility, integrate security into strategic goals, and continuously adapt their governance models to meet the evolving threats and development practices.