Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

More Security Hiring Doesn't Guarantee Better Patching Study

A joint study from the Ponemon Institute and ServiceNow finds that hiring more security professionals doesn't guarantee better patching practices as cyberattacks are increasing. However, automation may hold the key.

When it comes to keeping up with cyberattacks, enterprises tend to hire more security professionals to keep up with the rapid pace of patching their systems to avoid a vulnerability. However, more employees does not guarantee better security practices.

Instead, enterprises should invest in improving the overall patching process, including automating parts of it instead of relying solely on people, according to a report released earlier this month by Ponemon Institute and ServiceNow, which makes management tools for IT and HR departments.

The results, which are contained in the April 5 report, "Today's State of Vulnerability Response: Patch Work Demands Attention," are based on interviews with 3,000 security professionals in nine different countries.

(Source: Flickr)
(Source: Flickr)

One of the biggest reasons traditional patching practices don't work, according to the report, is the increasing frequency of cyberattacks, data breaches and personal data leaks against businesses of all sizes. Of those surveyed, about 48% claimed that their organization had a data breach within the last two years.

In addition, a majority -- 57% -- of those surveyed reported that a data breach took advantage of a vulnerability in a system where a patch was available but not applied.

To help overcome these challenges, most enterprises have turned to hiring more people. In fact, 50% of respondents planned to increase headcount to respond to vulnerability, and 64% told researchers that they plan to hire people as dedicated resources to help with patching over the next 12 months.

While those numbers are good for those security pros looking for jobs, it actually doesn't help the enterprises with security, according to the report. In fact, there are more open security positions than qualified people looking for work to fill them.

This actually backs-up other reports about the talent gap in the global security market. (See Gartner Analysts See AI Augmenting Security.)

Instead, businesses should begin adding different layers of automation into their security practices, whether this comes in the form of machine learning, or some type of artificial intelligence to supplement manual processes, including patching.

"Most organizations (57%) are using manual processes to manage the vulnerability response process," Piero DePaoli, ServiceNow's senior director of Product Marketing, Security, wrote to Security Now.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

DePaoli added that automation brings its own set of challenges, but once these technologies are in place, it can help organizations improve security:

Moving from spreadsheets and email to automation is the equivalent change of movement from crawling to running a marathon. Before moving to automating mundane tasks, an organization needs to first create and document end-to-end process from when a vulnerability is discovered all the way to, not just patching the vulnerability, but confirming it is no longer present. Once the process is documented and working well, an organization can then look for opportunities to optimize portions of the process with automation.

The other benefit to automation is that once an algorithm is trained, it continues to work and take on new tasks. Even if a company could hire as many employees as it needs to handle security, it could take up to six months to train, and there's the possibility that the most talented will leave.

At the same time, automation opens up new opportunities for the current staff, and allows them to tackle more challenging tasks, which is what Red Bull has done. (See Red Bull Powers Security Strategy With AI, Automation.)

"The challenge organizations have here is that it often times takes six months to get a new hire up to speed, and then after six months of productivity, they leave for another cybersecurity job at a higher salary," DePaoli wrote. "This makes creating strong processes and leveraging automation even more important. An organization will be more likely to make new employees productive faster and less likely to leave because the work elsewhere will seem mundane and boring."

Related posts:

— Scott Ferguson, is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-27
Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.
PUBLISHED: 2021-09-27
There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority.
PUBLISHED: 2021-09-27
Kingdee KIS Professional Edition has a privilege escalation vulnerability. Attackers can use the vulnerability to gain computer administrator rights via unspecified loopholes.
PUBLISHED: 2021-09-27
Discourse is an open source discussion platform. There is a cross-site scripting (XSS) vulnerability in versions 2.7.7 and earlier of the `stable` branch, versions 2.8.0.beta6 and earlier of the `beta` branch, and versions 2.8.0.beta6 and earlier of the `tests-passed` branch. Rendering of some error...
PUBLISHED: 2021-09-27
Rucky is a USB HID Rubber Ducky Launch Pad for Android. Versions 2.2 and earlier for release builds and versions 425 and earlier for nightly builds suffer from use of a weak cryptographic algorithm (RSA/ECB/PKCS1Padding). The issue will be patched in v2.3 for release builds and 426 onwards for night...