Research Uncovers Security’s Patching Paradox

Sixty-four percent plan to hire for vulnerability response over the next 12 months, yet more talent alone won’t solve the problem.

ServiceNow
Apr 11, 2018

SANTA CLARA, Calif. – ServiceNow, Inc. has released new research, β€œToday’s State of Vulnerability Response: Patch Work Demands Attention,” based on a survey conducted with the Ponemon Institute. The report uncovered security’s β€œpatching paradox” β€” hiring more people does not equal better security. While security teams plan to hire more staffing resources for vulnerability response β€” and may need to do so β€” they won’t improve their security posture if they don’t fix broken patching processes. Firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first. The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches.

ServiceNow surveyed nearly 3,000 security professionals in nine countries to understand the effectiveness of their vulnerability response tools and processes. Vulnerability response is the process companies use to prioritize and remediate flaws in software that could serve as attack vectors.

β€œAdding more talent alone won’t address the core issue plaguing today’s security teams,” Convery said.  β€œAutomating routine processes and prioritizing vulnerabilities helps organizations avoid the β€˜patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

Firms plan 50 percent headcount increase for vulnerability response

Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:

  • Organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.
  • 64 percent of respondents say they plan to hire more dedicated resources for patching over the next 12 months.
  • On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response – an increase of 50 percent over today’s staffing levels.

Hiring won’t solve the problem: teams struggle with broken processes

Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing organizations:

  • 55 percent say that they spend more time navigating manual processes than responding to vulnerabilities.
  • Security teams lost an average of 12 days manually coordinating patching activities across teams.
  • 65 percent say they find it difficult to prioritize what needs to be patched first.
  • 61 percent say that manual processes put them at a disadvantage when patching vulnerabilities.
  • 54 percent say that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence.
  • Cyberattack volume increased by 15 percent last year, and severity increased by 23 percent.

β€œMost data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” said Sean Convery, vice president and general manager, ServiceNow Security and Risk.  β€œAttackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”

Quickly detecting and patching vulnerabilities significantly reduces the breach risk

Organizations that were breached struggle with vulnerability response processes compared to those organizations who weren’t:

  • 48 percent of organizations have experienced a data breach in the last two years.
  • A majority of breach victims (57 percent) said that they were breached because of a vulnerability for which a patch was already available.
  • 34 percent were actually aware that they were vulnerable before they were breached.
  • Organizations that avoided breaches rated themselves 41 percent higher on the ability to patch quickly than organizations that had been breached.
  • 37 percent of breach victims surveyed said they don’t scan for vulnerabilities.

β€œIf you’re at sea taking on water, extra hands are helpful to bail,” Convery said. β€œThe study shows most organizations are looking for bailers and buckets instead of identifying the size and severity of the leak.”

Broken processes can be overcome

Here are five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:

  • Take an unbiased inventory of vulnerability response capabilities. 
  • Accelerate time-to-benefit by tackling low-hanging fruit first.
  • Regain time lost coordinating by breaking down data barriers between security and IT.
  • Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.
  • Retain talent by focusing on culture and environment.

Survey Methodology

ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 IT security professionals. Respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the United States, and represent organizations with more than 1,000 employees. The survey was administered online. Founded in 2002, the Ponemon Institute is a research center specializing in privacy, data protection, and information security policy.

Latest in Cybersecurity
Manufacturing Business Management
Sponsored
Manufacturing Business Management
May 1, 2024
Financial Cyber
Ransomware Report Shows Fewer Incidents, Future Concerns
May 3, 2024
Manufacturing Infrastructure Cyber
CISA Releases Latest ICS Advisories
May 3, 2024
Ep92tn
Security Breach: Predictions That Hit
May 2, 2024
Related Stories
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
Cybersecurity
Cybersecurity
ZAG Technical Services Announces New Cybersecurity Offering
I Stock 1251037786
Cybersecurity
What is Volt Typhoon?
Intuitive and Flexible Manufacturing ERP
Sponsor Content
Intuitive and Flexible Manufacturing ERP
More in Cybersecurity
All-In-One Manufacturing Management
Sponsored
All-In-One Manufacturing Management
Acumatica looks to offer new solutions.
May 1, 2024
Financial Cyber
Cybersecurity
Ransomware Report Shows Fewer Incidents, Future Concerns
The fear is that larger RaaS groups are exercising greater control over their affiliates.
May 3, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
CISA Releases Latest ICS Advisories
Cisco, Siemens, Honeywell and Mitsubishi systems top the list.
May 3, 2024
Ep92tn
Video
Security Breach: Predictions That Hit
A look back at Security Breach guest's most accurate and timely industrial cybersecurity predictions.
May 2, 2024
Ransomware
Cybersecurity
Report Identifies Hidden Costs, Challenges of Ransomware
Too many are paying, and the reasons range from understandable to infuriating.
April 25, 2024
Ep90
Video
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
A look at how this vital and increasingly targeted market sector is responding to more cyberattacks.
April 24, 2024
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
Avoiding Shutdowns from Ransomware Attacks
A strategic approach for protecting OT networks.
April 24, 2024
IEC 62443 is a key standard to reduce risk of cyberattacks in industrial workplaces.
Cybersecurity
How to Build a More Secure Connected World with IEC 62443
The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for system integrators, product suppliers and other stakeholders.
April 24, 2024
Coding
Cybersecurity
CISA Releases 7 ICS Advisories
Unitronics, Rockwell and Mitsubishi head the list.
April 19, 2024
Financial Cyber
Cybersecurity
Alarming Trends Reinforced in Ransomware Attack of Semiconductor Mfr.
Experts assess the fallout from the Dark Angel attack on Nexperia.
April 19, 2024
Industrial Cyber
Cybersecurity
Hexagon, Dragos Announce Partnership
The team-up looks to "revolutionize OT cybersecurity."
April 18, 2024
Ransomware
Cybersecurity
Report Shows Updated Ransomware Concerns
Hackers are elevating the complexity of their attacks - making them harder to detect.
April 18, 2024
Cybersecurity In A Bubble
Cybersecurity
Responding to Emerging Risks and Attack Vectors
Insight on key hacker strategies, response plans and creating a culture that embraces cybersecurity.
April 18, 2024