Firms struggle with patching because they use manual processes and can’t prioritise what needs to be patched first. The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches.
ServiceNow surveyed nearly 3,000 security professionals in nine countries to understand the effectiveness of their vulnerability response tools and processes. Vulnerability response is the process companies use to prioritise and remediate flaws in software that could serve as attack vectors.
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Jason Sutton, Vice President, UK and Ireland at ServiceNow. “Automating routine processes and prioritising vulnerabilities will help organisations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
Firms plan to invest in additional staff for vulnerability response
Security teams already dedicate a significant proportion of their resources to patching. That number is set to rise:
Hiring won’t solve the problem: teams struggle with broken processes
Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing organisations:
“Most data breaches occur because of a failure to patch, yet many organisations struggle with the basic hygiene of patching,” Sutton said. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
Quickly detecting and patching vulnerabilities significantly reduces breach risk
Organisations that were breached struggle with vulnerability response processes compared with those organisations that weren’t breached:
“If you’re at sea taking on water, extra hands are helpful to bail,” Sutton said. “The study shows most organisations are looking for bailers and buckets instead of identifying the size and severity of the leak.”