ServiceNow Inc., (Santa Clara, CA), released new research, “Today’s State of Vulnerability Response: Patch Work Demands Attention,” based on a survey conducted with the Ponemon Institute. The report uncovered security’s “patching paradox”—hiring more people does not equal better security. While security teams plan to hire more staffing resources for vulnerability response—and may need to do so—they won’t improve their security posture if they don’t fix broken patching processes.
Firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches.
ServiceNow surveyed nearly 3000 security professionals in nine countries to understand the effectiveness of their vulnerability response tools and processes. Vulnerability response is the process companies use to prioritize and remediate flaws in software that could serve as attack vectors.
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Sean Convery, vice president and general manager, ServiceNow Security and Risk. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:
Adding cybersecurity talent may not be possible. According to Information Systems Audit and Control Association (ISACA), a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing organizations:
“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” said Convery. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
Organizations that were breached struggle with vulnerability response processes compared to those organizations who weren’t:
“If you’re at sea taking on water, extra hands are helpful to bail,” Convery said. “The study shows most organizations are looking for bailers and buckets instead of identifying the size and severity of the leak.”
Here are five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:
ServiceNow commissioned the Ponemon Institute to survey nearly 3000 IT security professionals. Respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the US, and represent organizations with more than 1000 employees. The survey was administered online. Founded in 2002, the Ponemon Institute is a research center specializing in privacy, data protection, and information.
Connect With Us