A new survey of 200 chief information security officers (CISOs) from across diverse industries and regions finds that 49 percent of CISOs say buyers now factor application security (AppSec) into their purchasing decisions.

The study from Checkmarx shows 24 percent say that application security is 'always' a factor in those decisions. This trend is most pronounced in Europe, where 58 percent of respondents report that security is always a factor, compared to 33 percent in the Asia Pacific region and only eight percent in North America.

"We're witnessing a pivotal change: AppSec is now a competitive differentiator, a budget priority and a boardroom issue," says Checkmarx chief product officer Jonathan Rende. "As development teams take greater ownership, CISOs must focus on governance, strategy and collaboration to keep security outcomes on track."

The study also finds that decision-making is becoming increasingly decentralized, with development teams more often influencing security practices and even owning budget authority. In organizations developing software-based products responsibility is split, 50 percent of organizations assign security responsibility to CISOs while 43 percent move security oversight to development teams. In addition 56 percent of organizations say that most of their development teams are fully integrated with AppSec programs.

Rende adds, "As security responsibility migrates toward development teams, so does the funding. That's why CISOs today need to lead with influence, creating guardrails, not roadblocks."

While 62 percent of CISOs report AppSec metrics to their board, most focus solely on vulnerability counts, with only 25 percent tying those risks to business outcomes like brand reputation or regulatory exposure. This disconnect underscores the need for CISOs to frame security in terms of business risk.

You can get the full report from the Checkmarx site.

Image credit: Ahmadrizal7373/Dreamstime.com