Adding more security teams staffers for vulnerability response won’t improve an enterprise’s posture if they don’t fix broken patching processes first, according to a ServiceNow report.

  • 48% of companies have experienced at least one data breach in the past two years. — ServiceNow and Ponemon Institute, 2018
  • 64% of respondents say that they plan to hire additional dedicated resources for vulnerability response over the next year. — ServiceNow and Ponemon Institute, 2018

Nearly half of enterprises experienced at least one data breach in the past two years, according to a Thursday report from ServiceNow and the Ponemon Institute. As cyber threats grow in number and sophistication, many companies are looking to high-demand cybersecurity professionals to protect their data. However, enterprises fail to consider that hiring more people does not necessarily lead to better cybersecurity, the report noted.

The report examined the “patching paradox”—the idea that security teams that hire more staff for vulnerability response won’t improve their security posture if they don’t fix broken patching processes first.

Cybersecurity teams dedicate a large amount of time and resources to patching, the report found. In a survey of 3,000 enterprise cybersecurity professionals, the average cybersecurity headcount is 28 people. Companies spend an average of 321 hours per week managing the vulnerability response process—the equivalent of eight full time employees, or 29% of security resources. And this number is only expected to rise as threats grow more intense, the report noted.

Due to this need, 64% of respondents said that they plan to hire additional dedicated resources for vulnerability response over the next year. The average number of people they plan to hire is four, the report found.

But with the global shortage of cybersecurity professionals set to reach 2 million by 2019, organizations will find it increasingly difficult to find the talent they need. As a result, more companies may look to automate security processes, the report noted.

The report included five recommendations for organizations to help build a roadmap to improved security practices:

1. Take an unbiased inventory of vulnerability response capabilities. Assess how your company detects vulnerabilities and how quickly it patches them.

2. Accelerate time-to-benefit by tackling low-hanging fruit first. Start with basic hygiene items that can be addressed quickly, such as scanning for vulnerabilities.

3. Break down data barriers between security and IT. Create a common view combining vulnerability and IT configuration data.

4. Define end-to-end vulnerability response processes, and then automate as much as possible.

5. Retain talent by focusing on culture and environment.

Source: Tech Republic

5th April 2018