It’s perhaps one of the most well-known and understood foundations of enterprise security – finding and patching outdated software with software updates. However, a newly released survey from cloud IT services provider ServiceNow, Today’s State of Vulnerability Response: Patch Work Demands Attention, found that there is still much work that must be done within the enterprise to close the window of vulnerability, that time between when an application vulnerability becomes known and it is remedied.
To understand the effectiveness of their vulnerability response tools and processes, ServiceNow surveyed about 3,000 security professionals from nine countries. Survey respondents were based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the United States, and represent organizations with more than 1,000 employees, ServiceNow said. For the purpose of the survey, ServiceNow defines vulnerability response is the process companies use to prioritize and remediate flaws in software that could serve as attack vectors.
According to the survey findings, firms continue to struggle with patching because they approach the processes manually and don’t have the insight needed to decide what systems should be patched first. The study claimed that efficient vulnerability response processes are critical because timely patching is “the most successful tactic companies employed in avoiding security breaches.”
“Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach,” ServiceNow wrote in this news release.
According to the survey:
- Firms plan 50% headcount increase for vulnerability response
- Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:
- Organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.
- 64% of respondents say they plan to hire more dedicated resources for patching over the next 12 months.
- On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels.
- Hiring won’t solve the problem: teams struggle with broken processes
- Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing organizations:
- 55% say that they spend more time navigating manual processes than responding to vulnerabilities.
- Security teams lost an average of 12 days manually coordinating patching activities across teams.
- 65% say they find it difficult to prioritize what needs to be patched first.
- 61% say that manual processes put them at a disadvantage when patching vulnerabilities.
- 54% say that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence.
- Cyberattack volume increased by 15% last year, and severity increased by 23%.
- Quickly detecting and patching vulnerabilities significantly reduces the breach risk
- Organizations that were breached struggle with vulnerability response processes compared to those organizations who weren’t:
- 48% of organizations have experienced a data breach in the last two years.
- A majority of breach victims (57%) said that they were breached because of a vulnerability for which a patch was already available.
- 34% were actually aware that they were vulnerable before they were breached.
- Organizations that avoided breaches rated themselves 41% higher on the ability to patch quickly than organizations that had been breached.
- 37% of breach victims surveyed said they don’t scan for vulnerabilities.
- Broken processes can be overcome
- Here are five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:
- Take an unbiased inventory of vulnerability response capabilities.
- Accelerate time-to-benefit by tackling low-hanging fruit first.
- Regain time lost coordinating by breaking down data barriers between security and IT.
- Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.
- Retain talent by focusing on culture and environment.
There’s no doubt that patching is an essential part of risk management, and with the number of tools out there to help automate the patching processes it’s surprising to see so many organizations still relying on manual processes. We write a lot about the importance of automating, and patching security vulnerabilities should be high up on the priority list of security processes to automate.