ServiceNow Research Uncovers Security’s Patching Paradox
64% plan to hire for vulnerability response over the next 12 months, yet more talent alone won’t solve the problem
“Adding more talent alone won’t address the core issue plaguing today’s
security teams,” said
Firms plan to invest in additional staff for vulnerability response
Security teams already dedicate a significant proportion of their resources to patching.That number is set to rise:
- Organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.
- 64% of respondents say they plan to hire more dedicated resources for patching over the next 12 months.
- On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels.
Hiring won’t solve the problem: teams struggle with broken processes
Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing organizations:
- 55% say that they spend more time navigating manual processes than responding to vulnerabilities.
- Security teams lost an average of 12 days manually coordinating patching activities across teams.
- 65% say they find it difficult to prioritize what needs to be patched first.
- 61% say that manual processes put them at a disadvantage when patching vulnerabilities.
- 54% say that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence.
- Cyberattack volume increased by 15% last year, and severity increased by 23%.
“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” Convery said. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
Quickly detecting and patching vulnerabilities significantly reduces breach risk
Organizations that were breached struggle with vulnerability response processes compared with those organizations that weren’t breached:
- 48% of organizations have experienced a data breach in the last two years.
- A majority of breach victims (57%) said that they were breached because of a vulnerability for which a patch was already available.
- 34% were actually aware that they were vulnerable before they were breached.
- Organizations that avoided breaches rated themselves 41% higher on the ability to patch quickly than organizations that had been breached.
- 37% of breach victims said they don’t scan for vulnerabilities.
“If you’re at sea taking on water, extra hands are helpful to bail,” Convery said. “The study shows most organizations are looking for bailers and buckets instead of identifying the size and severity of the leak.”
Broken processes can be overcome
Here are five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:
- Take an unbiased inventory of vulnerability response capabilities.
- Accelerate time-to-benefit by tackling low-hanging fruit first.
- Regain time lost coordinating by breaking down data barriers between security and IT.
- Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.
- Retain talent by focusing on culture and environment.
- Report: Today’s State of Vulnerability Response, Patch Work Demands Attention
- Blog: Survey: Hiring more talent alone won’t solve security’s woes
- Slideshare: Today’s State of Vulnerability Response, Patch Work Demands Attention
- For more on ServiceNow Security Operations, please visit this site.
ServiceNow commissioned the
Sara Day, +1-650-336-3123