CISOs Facing Pressure Over API Security

A recent report from Raidiam, a British computer services provider, warns that most organizations are exposing sensitive data through inadequate API security without realizing it.

Mirko Zorz of Help Net Security writes that the report finds API security to be dangerously lagging, despite the growing reliance on APIs to support mobile apps, cloud services, and third-party integrations.

That assessment is based on an examination of 68 companies outside regulated industries, accompanied by a warning that regulation is imminent.

The report found that over 80% of organizations fell into the “Act Urgently” category, meaning they transmit high-value personal or financial data via APIs while using minimal protections, such as static keys and long-lived tokens.

Only one organization had implemented a mature, modern security stack. Many companies lack visibility into what data their APIs expose, and few conduct API-specific testing.

Monitoring is limited, allowing attackers to potentially exploit APIs undetected for weeks. This mismatch between API usage and security maturity represents a growing attack surface that few organizations effectively manage.

Raidiam advocates for adopting security models that have already proven effective in regulated environments. These include mutual TLS authentication, certificate-bound tokens, and API-specific oversight frameworks such as FAPI.

The disparity between regulated and unregulated sectors has created a “two-speed” risk environment, where mature players, such as banks, are outpacing other industries.

Board members, even without technical expertise, can help close this gap by tracking simple metrics, such as the percentage of APIs still using static keys.

Attorneys should note that regulatory enforcement in API security is coming. Frameworks like DORA and NIST’s Zero Trust are gaining traction, and companies must prepare for increased oversight of their digital supply chains.

Legal teams should anticipate changes in liability, disclosure, and governance related to insecure APIs and advise boards to prioritize proactive compliance measures to mitigate potential risks.