Instead of pursing and hiring security professionals, businesses should focus first on their patch management processes and associated resources, according to research findings from ServiceNow and Ponemon Institute.
Indeed, a "patching paradox" plagues many companies, which is reflected in the survey of nearly 3,000 security professionals.
Key findings from the ServiceNow-Ponemon "Today's State of Vulnerability Response: Patch Work Demands Attention" survey included:
- 65 percent of respondents noted it is difficult to prioritize what needs to be patched first.
- 61 percent said manual processes put them at a disadvantage when patching vulnerabilities.
- 53 percent stated that the time window for patching – the time between patch release and hacker attack – has decreased by an average of 29 percent over the last two years.
- 34 percent said they use both severity and types of business systems affected to prioritize vulnerabilities.
In addition, respondents reported an average of 12.1 days lost coordinating across security and IT teams for every vulnerability they patch, ServiceNow pointed out. Respondents cited the following reasons for this problem:
- No common view of assets and applications across security and IT teams (73 percent).
- No easy way to track whether vulnerabilities are patched in a timely manner (62 percent).
- Letting things slip through the cracks because emails and spreadsheets are used to manage the patching process (57 percent).
Respondents also said their companies commit 321 hours a week on average – or approximately eight full-time employees – to manage the vulnerability response process, ServiceNow indicated. Meanwhile, 64 percent of respondents stated they plan to hire additional dedicated resources for vulnerability response over the next 12 months.
How to Address the Patching Paradox
ServiceNow offered the following recommendations to help organizations quickly resolve security incidents and vulnerabilities:
- Analyze your vulnerability response capabilities. Assess vulnerability detection and patching capabilities to identify vulnerability response issues.
- Tackle low-hanging fruit first. Prioritize minor vulnerability response problems and build a comprehensive vulnerability response strategy over time.
- Eliminate barriers between security and IT teams. Combine vulnerability and IT configuration data into a single platform to drive collaboration between security and IT teams.
- Create end-to-end vulnerability response processes. Develop vulnerability response processes and ensure that security and IT teams have a shared view of these processes.
- Retain security talent. Remove internal barriers, optimize day-to-day processes and automate mundane work; by doing so, an organization can create a positive environment for security teams, increase employee satisfaction and boost the likelihood of retaining top security talent.
Manual vulnerability response processes, siloed tools and data and other issues often make it difficult for a security team to streamline patch management, ServiceNow stated. However, automating vulnerability response tasks can help a security team accelerate patch management and reduce the risk of breaches.