CISOs Struggle with API Visibility Despite Security Concerns

share
Header image

CISOs Struggle with API Visibility Despite Security Concerns

share

Three-quarters of APIs are changed weekly or daily, while most organisations only audit for shadow APIs monthly or quarterly.

There is a growing disconnect between CISO awareness of API risks and their organisations' ability to manage them.

According to research from Salt Security, 73% of CISOs rank API security as a high or critical priority, just 17% have a comprehensive strategy in place. As API environments scale rapidly to support innovation and digital services, the lack of full visibility - reported by only 19% of CISOs - continues to expose organisations to growing security threats, particularly through unmanaged or “shadow” APIs.

Among the responses from 300 CISOs, 74% admitted to regularly discovering unknown APIs, and 90% said they couldn’t confirm that all their APIs were being managed.

This is further complicated by the fast pace of API updates - 75% are changed weekly or daily - while most organisations only audit for shadow APIs monthly or quarterly, leaving weeks-long blind spots where vulnerabilities can go unnoticed.

Michael Callahan, chief marketing officer of Salt Security, said: “These tools were not built with the threats faced by organisations today in mind, especially as the threat landscape has evolved so quickly and unpredictably in recent years.

“Legacy tech paired with a lack of visibility over the entire API ecosystem presents a worrying picture for CISOs aiming to secure their organisation effectively. Modern issues need modern solutions that are scalable, efficient and effective.”

Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Application Security Published: 25 July Written by
Dan Raywood
Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.

Upcoming Events

No events found.

Related content

Report: UK cyberattacks grow faster than global rate

Report: UK cyberattacks grow faster than global rate

 Novel CyberStrikeAI tool exploited in attacks

Novel CyberStrikeAI tool exploited in attacks

 Industry urges reform to retain women in tech

Industry urges reform to retain women in tech
NCSC flags heightened threat in Middle East

NCSC flags heightened threat in Middle East

 Europe moves toward teen social media limits

Europe moves toward teen social media limits

 SC Awards Europe: Deadline Extended!

SC Awards Europe: Deadline Extended!
Open Source Security Risks: Countering the Threat

Open Source Security Risks: Countering the Threat