Organizations spend an average of 12 days more to patch flaws in 2019 as compared to last year, a new report on security vulnerability and patch management said.
This despite a noticeable increase in cybersecurity spending in 2019 on breach prevention, detection and remediation, according to ServiceNow’s report, entitled Today’s State of Vulnerability Response: Patch Work Requires Attention, which surveyed 3,000 security pros in nine countries. The study’s goal is to show organizations how to reduce time to respond to vulnerabilities.
ServiceNow: Patch Management Research Findings
Why the delay in vulnerability and patch management? Data silos and poor organizational coordination impede timely and effective patching. The answer: Enterprises need to prioritize more effective and efficient security vulnerability fixes.
Compounding the problem is the security landscape is getting worse, ServiceNow, a Santa Clara, CA-based digital workflow specialist, said. According to the study’s findings, cyber attacks increased by 17 percent from 2018 with 60 percent of breaches linked to a vulnerability where a patch was available but not applied. On average, it takes 16 days to patch a critical vulnerability after it has been detected, underscoring the need for faster, more targeted responses aimed at critical patches and likely breach targets, the company said.
In the research, ServiceNow compared 2019’s findings to last year’s data.
Here are some key data from the survey:
On costs, downtime, staffing:
On increasing cyber attacks:
On patching effectiveness:
On automation:
On ServiceNow’s conclusions:
“Companies saw a 30 percent increase in downtime due to patching of vulnerabilities, which hurts customers, employees and brands,” said Sean Convery, ServiceNow's security and risk general manager. He called the study a “wakeup call” for chief information officers and chief information security officers. “Many organizations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management,” Convery said. “Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations.”