Four tips for avoiding the “patching paradox” by improving your security strategy

null

Imagine you’re on a boat at sea and it springs a leak. Everyone on the boat starts bailing frantically – but this will undoubtedly only keep you afloat for a short time. How can you save your boat and your crew from drowning?

A better approach would be to identify the cause, size and severity of the leak. Then you need to fix it. Ideally, to prevent future leaks, this would be in a way that can be repeated and quickly, just in case another one occurs.

But, unfortunately, in the case of cybersecurity, this is not how organisations are developing strategies. Instead they are focused on finding more pairs of hands to help ‘bail’, rather than assess the situation and revise processes.

This has to change, especially considering the global shortage of qualified cyber security professionals, which impacts both recruitment and retention.

Yet, a recent report from the Ponemon Institute, Today’s state of vulnerability response, reveals that: 

  • 67 per cent of UK security professionals plan to hire for vulnerability response over the next 12 months
  • UK organisations spend 319 hours a week on average managing the vulnerability response process, losing 12 days by manually coordinating patching activities
  • 59 per cent of UK breach victims said that they were breached because of a vulnerability for which a patch was already available
  • 37 per cent of breach victims said they don’t scan for vulnerabilities
  • 34 per cent of UK security professionals were actually aware that they were vulnerable before they were breached

These insights highlight the key issue with the ‘keep bailing’ approach. Hiring more people does not equal better security. Instead, it creates what the Ponemon Institute refers to as a ‘patching paradox’.  

Most data breaches occur because of a failure to patch. Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their security strategy. Automating routine processes and prioritising vulnerabilities will help organisations avoid this ‘patching paradox’, instead focusing their people on critical work to dramatically reduce the likelihood of a breach.

Organisations have a massive opportunity to move from a ‘keep bailing’ approach to a more efficient, cost-effective approach to preventing and resolving security issues. This includes paying attention to basic hygiene items, breaking down siloes between tools, creating structured workflows and automating these as much as possible.

The following four tips are fundamental in addressing the roots of the problem and improving end-to-end vulnerability response processes:

Get that low-hanging fruit

If you’re not scanning vulnerabilities already, then the first thing you should do is implement a tool that provides internal, external and authentication scans. This will increase time-to-benefit by doing the job of initially identifying any weaknesses on devices, the web and your networks.

Take an unbiased inventory of vulnerability response capabilities

Identify your organisation’s pain points. Ask yourself questions such as; are there challenges in cross-department coordination? Is there shared visibility across applications and company assets? Can I track the vulnerability lifecycle?

Doing so will enable you to evaluate existing risk. I recommend applying a score across each of the areas so that change is measurable, and you have a platform from which to improve. This will also give you a foundation to ensure you meet the increasingly strict obligations to protect customer data and notify them and the government of breaches that impact them.

Breakdown the barriers between security and IT

Thirdly, organisations should create a common view of IT configuration and vulnerability data, ideally combining them in a single platform or dashboard for the ultimate situational awareness. Once adopted, this paves the way for more advanced capabilities, such as prioritising based on business systems impacted and routing of vulnerabilities to the correct IT system owners for resolution or patching.

Automating these processes can reduce the time and resources required for such tasks and enables teams to view the entire company security posture and greatly improve it. This should also decrease the cost of detecting and preventing threats.

At the same time, it also enables repeatable vulnerability response processes, which increases accuracy and consequently reduces risk and duplication of work – driving more efficiencies.

Retain talent with a focus on workplace culture

Creating optimised processes, reducing mundane work and averting internal barriers, transitions your organisation from bailing frantically to speeding serenely across calm waters to a successful future. This results in your teams experiencing increased job satisfaction.

Consequently, security professionals leave work feeling accomplished, leading to reduced employee turnover, which can lower costs even further. This is essential as job site Indeed reports that demand for cybersecurity talent far outstrips interest, with just 3.16 clicks for every ten cybersecurity jobs posted in the UK – meaning that many postings get no views at all and organisations will find it extremely difficult to secure the resources they need.

The importance of acting now

In a world where hackers are becoming faster and armed with new threats every day, cyberattacks are only going to increase in volume, speed, and effectiveness. Couple this with the fact that the ISACA reports the global shortage of cybersecurity professionals will reach two million by 2019 and that a breach of as little as 10,000 records, can result in costs around $2.8 million – the business impacts can be gigantic.

Firms struggle with patching because they use manual processes and can’t prioritise what needs to be patched first, yet timely patching is one of the most successful tactics companies can deploy to avoid security breaches. This basic hygiene security measure can be easily rectified, and other best practice processes established alongside it. Effective vulnerability response is a critical weapon in the cybersecurity arsenal.

High-performing security teams consistently outperform because they detect vulnerabilities quickly and patch them in a timely manner. To emulate the success of such organisations, security teams need to create the same core competencies.

This is not insurmountable as long as you stop looking for bailers and buckets and implement tools to help security teams. As well as identifying the size and severity of the leak, automating routine processes will give security teams the opportunity to transform repetitive tasks and prioritise vulnerabilities. In turn, this helps them to avoid the ‘patching paradox’ and reduces the risk of a breach and offer a more secure future.

Greg White, Director of Security Operations, ServiceNow
Image Credit: Den Rise / Shutterstock