Executives from the boardroom and the C-suite are realizing the damaging effect software supply chain attacks can have on their organizations, but they aren’t taking action. According to a recent report from Venafi, senior IT executives agree (97%) that software build processes are not secure enough, yet there is a disconnect when it comes to which team is responsible for driving security changes… 61% of executives said IT security teams should be responsible for software security, while 31% said development teams should be.

This lack of consensus is hindering efforts to improve the security of software build and distribution environments and exposing every company that buys commercial software to SolarWinds-style supply chain attacks. At the same time, security teams, who are strapped for budget and resources, rarely have visibility or control into the security controls in software development environments. To make matters worse, there is no standard framework that would help them evaluate the security of the software they use.

The survey also found that 94% of executives believe there should be clear consequences for software vendors that fail to protect the integrity of their software build pipelines. These consequences could be penalties such as fines and greater legal liability for companies proven to be negligent. It might seem surprising that executives are encouraging such a practice, but they understand that clear consequences will force software vendors to shift away from the ‘build fast, fix security later’ mentality that leaves their customers and partners at risk.

Venafi’s survey evaluated the opinions of more than 1,000 IT and development professionals, including 193 executives with responsibility for both security and software development, and revealed a glaring disconnect between executive concern about software supply chain security and executive action.

Read the full report by Venafi.