[BreachExchange] Why the answer to IT security woes isn't just hiring more talent

Destry Winant destry at riskbasedsecurity.com
Wed May 16 17:41:33 EDT 2018


Major data breaches continue to be headline news, but the
well-publicised incidents are only the tip of the iceberg. A
significant number of organisations are still failing to protect
themselves from threats, with new ServiceNow-commissioned
researchcarried out with 3,000 IT security professionals finding that
48 percent of businesses have experienced a data breach in the last
two years.

Worryingly, it's not the increased sophistication of hackers or their
methods that are leaving organisations open to attack. Of the
organisations that suffer a data breach, more than half (57 percent)
did so because of a vulnerability for which a patch was already
available. In fact, 34 percent were actually aware that they were
vulnerable before being successfully targeted.

Timely patching is a highly effective way to avoid a security breach,
so why are so many organisations failing in this process?

The patching paradox

Quite simply, firms struggle with patching because they use manual
processes and they can't prioritise what needs to be patched first.
The majority (64 percent) plan to hire in the next 12 months to
improve their vulnerability response, yet cyber-security teams already
spend an average of 321 hours a week managing the vulnerability
response process — the equivalent of about eight full-time employees.

The result is a “patching paradox”, where hiring more talent does not
mean better security. Our research shows that security professionals
plan to hire an extra four people dedicated to vulnerability response
– an increase of 50 percent over today's staffing levels.

Yet no amount of additional talent or resource will improve their
security posture if they don't fix their underlying broken patching

Why broken processes hurt

Existing security teams are under immense pressure and in a constant
battle to mitigate the continually growing number of threats from

The ServiceNow study found that security teams lost an average of 11
days manually coordinating patching activities across teams — and
that's just one task. Two-thirds of security professionals also say
they find it difficult to prioritise what needs to be patched first
and 61 percent agree that manual processes put them at a disadvantage
when patching vulnerabilities.

All this amounts to over half (55 percent) of security teams spending
more time navigating manual processes than focusing on fixing the
vulnerabilities of their organisation.

The result is an extensive vulnerability backlog, with little insight
into the tasks that should be dealt with first and by who. With only61
percent of vulnerabilities fixed within a month, the rest are likely
to be delayed, deferred, or never fixed at all.

Critical systems are left open to potential attackers and this puts
many organisations in the position of accumulating security debt as
time goes on, when resource could be much better applied.

Automation is the answer

The time to act is now. Breach rates are already extraordinarily high,
with the volume increasing by 15 percent since last year and the
severity by 23 percent. Emerging AI-fuelled threats are only set to
increase the volume, speed and effectiveness of cyber-attacks even

Organisations can't rely solely on hiring amidst a talent shortage to
get work done, while relying on the manual processes they use today.
By automating routine processes and vulnerability priorities,
organisations avoid the “patching paradox”, instead focusing their
existing team on critical work that will dramatically reduce the
likelihood of a breach.

In fact, Forrester's Top 10 Technology Trends To Watch: 2018 to 2020
“dawning trend” is that automated security intelligence and breach
response will liberate security and risk. Security teams will be
unshackled from repetitive manual tasks, enabling them to concentrate
on new threats and the most impactful incidents.

To many organisations the security landscape seems dangerous and
complex, but the good news is that changing the fundamentals of your
security operations is not impossible. By automating routine processes
and taking care of basic hygiene, security teams can significantly
reduce the risk of a breach and improve security response, while
freeing up their time.

With a pragmatic roadmap, these results are within reach of any
organisation, offering a clear outlook for a more secure future.

More information about the BreachExchange mailing list