More Security Hiring Doesn't Guarantee Better Patching – Study

When it comes to keeping up with cyberattacks, enterprises tend to hire more security professionals to keep up with the rapid pace of patching their systems to avoid a vulnerability. However, more employees does not guarantee better security practices.

Instead, enterprises should invest in improving the overall patching process, including automating parts of it instead of relying solely on people, according to a report released earlier this month by Ponemon Institute and ServiceNow, which makes management tools for IT and HR departments.

The results, which are contained in the April 5 report, "Today's State of Vulnerability Response: Patch Work Demands Attention," are based on interviews with 3,000 security professionals in nine different countries.

(Source: Flickr)

One of the biggest reasons traditional patching practices don't work, according to the report, is the increasing frequency of cyberattacks, data breaches and personal data leaks against businesses of all sizes. Of those surveyed, about 48% claimed that their organization had a data breach within the last two years.

In addition, a majority -- 57% -- of those surveyed reported that a data breach took advantage of a vulnerability in a system where a patch was available but not applied.

To help overcome these challenges, most enterprises have turned to hiring more people. In fact, 50% of respondents planned to increase headcount to respond to vulnerability, and 64% told researchers that they plan to hire people as dedicated resources to help with patching over the next 12 months.

While those numbers are good for those security pros looking for jobs, it actually doesn't help the enterprises with security, according to the report. In fact, there are more open security positions than qualified people looking for work to fill them.

This actually backs-up other reports about the talent gap in the global security market. (See Gartner Analysts See AI Augmenting Security.)

Instead, businesses should begin adding different layers of automation into their security practices, whether this comes in the form of machine learning, or some type of artificial intelligence to supplement manual processes, including patching.

"Most organizations (57%) are using manual processes to manage the vulnerability response process," Piero DePaoli, ServiceNow's senior director of Product Marketing, Security, wrote to Security Now.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

DePaoli added that automation brings its own set of challenges, but once these technologies are in place, it can help organizations improve security:

"Moving from spreadsheets and email to automation is the equivalent change of movement from crawling to running a marathon. Before moving to automating mundane tasks, an organization needs to first create and document end-to-end process from when a vulnerability is discovered all the way to, not just patching the vulnerability, but confirming it is no longer present. Once the process is documented and working well, an organization can then look for opportunities to optimize portions of the process with automation."

The other benefit to automation is that once an algorithm is trained, it continues to work and take on new tasks. Even if a company could hire as many employees as it needs to handle security, it could take up to six months to train, and there's the possibility that the most talented will leave.

At the same time, automation opens up new opportunities for the current staff, and allows them to tackle more challenging tasks, which is what Red Bull has done. (See Red Bull Powers Security Strategy With AI, Automation.)

"The challenge organizations have here is that it often times takes six months to get a new hire up to speed, and then after six months of productivity, they leave for another cybersecurity job at a higher salary," DePaoli wrote. "This makes creating strong processes and leveraging automation even more important. An organization will be more likely to make new employees productive faster and less likely to leave because the work elsewhere will seem mundane and boring."

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.