The industry has accepted high software costs, riddled with hidden vulnerabilities, as the norm. Why are we complacent about purchasing risk? The fact is: many software customers remain unaware of these innate risks until the vulnerabilities are made known to the public. Corporations invest in technology without fully understanding the liabilities that bad actors leverage from our most trusted suppliers.
The table is set. Corporations are laying out a buffet for bad actors to feast on. Hackers exploit vulnerable software to install malicious software, taking advantage of known and unknown (to us, but not to them) vulnerabilities. Software providers release products with security flaws that later become known, but to whom and when? Yet, the providers of this vulnerable software have somehow turned the mistakes into a high-margin, profit engine.
Also Read: Cutting Through Observability Clutter: How CIOs Can Escape the Cost Spiral
The number of reported vulnerabilities surged in 2024, reaching 40,008 globally—a one-third increase from the 28,817 identified in 2023. Software with built-in vulnerabilities has increased revenue opportunities for the major providers and threat actors. Microsoft’s security revenue in 2023 was over $20 billion; in 2024, it was projected to be around $25 billion. This system monetizes vulnerabilities rather than prioritizing secure code. Furthermore, these are costs borne by us, the customer!
In addition to faulty software, there is a significant lack of qualified cybersecurity professionals compared to the growing number of daily hacks. Since 2013, 3,809,448 records have been stolen from breaches every day. 158,727 per hour, 2,645 per minute, and 44 per second of every day reports Cybersecurity Ventures.
Bad actors and state-sponsored hackers are now operating with alarming sophistication and automation to scale their operations and widen the security gap. Many cybersecurity roles require specialized skills that present “degree and certification only” entry barriers that inflate salaries and strain budgets. However, security budgets grew by only 8% in 2024 compared to 6% in 2023. Businesses globally spend about 13% of their IT budgets on cybersecurity. How can this near-stagnant funding compete with the AI-driven malware and automated attack frameworks being developed by hackers? It can’t.
The global average cost per data breach was $4.88 million in 2024, an increase from $4.45 million the previous year. Risk management spending increased by approximately 14% in 2024. Security expenditures are not keeping pace with threats, forcing companies to avoid comprehensive protection and gamble on breaches and ransomware. Cybercriminals are weaponizing sprawling corporate attack surfaces to create a Cybercrime-as-a-Service (CaaS) economy.
The Corporate Software Stack Is a Hacker’s Layered Dessert
Organizations face difficult choices in managing and mitigating cybersecurity risks. A Proofpoint report reveals that 59% of CISOs feel budget limitations hamper their ability to make critical security investments. In a report from Splunk, 64% of CISOs said that the current threat and regulatory environment makes them worried that they’re not doing enough, and indicated that a lack of budgetary support led to a cyberattack.
Industry and government must approach cybersecurity differently. Budgets must reflect the scale at which bad actors are enhancing their sophistication. Regarding the corporate software stack, organizations must demand accountability from their providers instead of paying premium prices for security solutions and paying again for updates that should have been included in the initial sale. Such expectations could consist of:
- Implementation of secure-by-design principles in software development.
- Regulatory frameworks that hold providers accountable for security flaws.
- Acceptance into industry-wide standards for vulnerability disclosure and remediation.
- More competitive pricing models that don’t lock organizations into expensive, long-term contracts for the most vulnerable software.
Also Read: Enterprise AI Adoption: Without the Hype
Conclusion
Industry leaders, policymakers, and security professionals must collectively respond to address these systemic issues and ensure a more sustainable and secure future. We must realize that corporations operate in an environment of continued software vulnerabilities—known, unknown, and supply chain-related. Our defenses pale compared to the ingenuity and structured cybercrime supply chain of “disruption-as-a-service” offerings that have impacted CrowdStrike and SolarWinds.
We’re at a critical juncture: either we appropriately staff, fund, and address our software issues or face the consequences of an ongoing cybersecurity arms race that corporations are failing at in the global theater. We must remain vigilant in identifying and effectively managing our known vulnerabilities to the best of our ability. At the same time, we must advocate for long-term change, as our current approach is unsustainable. In essence, we must demand higher security standards from our trusted software providers, boost our budgets to match our foes, and fortify our staff with the skilled professionals needed to ensure a more resilient and secure business environment. The last place you want to be is explaining to the board that a known vulnerability has exploited the company.
