"The risk factors, the weakest links, are human," he said, adding that the survey shows that enterprises need to dedicate more resources to helping their developers write more secure code, and helping all their employees be more security conscious.
And even an annual training program might not be sufficient, given the fast-changing nature of the threats.
"If you were to update your antivirus just once a year, that's not a good security posture," he said. "But that's what we do with the human element. We don't give them the tools they need to do their jobs."
He added there's a widespread perception that you can't train people to be more security conscious.
"I think that perception is wrong," he said. "With good training, good communications, you can actually have measurable change in the organization."
Sign up for CIO Asia eNewsletters.