ServiceNow Research Uncovers Security’s Patching Paradox

Philip van der Wilt, General Manager and Vice President Sales EMEA, ServiceNow
Philip van der Wilt, General Manager and Vice President Sales EMEA, ServiceNow
7 years ago

ServiceNow has released new research, “Today’s State of Vulnerability Response: Patch Work Demands Attention,” based on a survey conducted with the Ponemon Institute. The report uncovered security’s “patching paradox” – hiring more people does not equal better security. While security teams plan to hire more staffing resources for vulnerability response – and may need to do so – they won’t improve their security posture if they don’t fix broken patching processes.

Firms struggle with patching because they use manual processes and can’t prioritise what needs to be patched first. The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches.

ServiceNow surveyed nearly 3,000 security professionals to understand the effectiveness of their vulnerability response tools and processes. Vulnerability response is the process companies use to prioritise and remediate flaws in software that could serve as attack vectors.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said

Philip van der Wilt, General Manager and Vice President Sales EMEA, ServiceNow. “Automating routine processes and prioritising vulnerabilities will help organisations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:

  • EMEA organisations spend 319 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.
  • 63% of EMEA respondents say they plan to hire more dedicated resources for patching over the next 12 months.
  • On average, the EMEA respondents surveyed plan to hire about 3.8 people dedicated to vulnerability response – an increase of 48% over today’s staffing levels.

Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. The study found that hiring won’t solve the vulnerability response challenges facing EMEA organisations, with the results of the respondents based in EMEA revealing that:

  • 53% say that they spend more time navigating manual processes than responding to vulnerabilities.
  • EMEA security teams lost an average of 11.5 days manually coordinating patching activities across teams.
  • 65% say they find it difficult to prioritise what needs to be patched first.
  • 62% say that manual processes put them at a disadvantage when patching vulnerabilities.
  • 56% say that hackers are outpacing organisations with technologies such as machine learning and artificial intelligence.
  • Cyberattack volume increased by 16% last year, and severity increased by 22%.

“Most data breaches occur because of a failure to patch, yet many organisations struggle with the basic hygiene of patching,” van der Wilt said. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”

Organisations that were breached struggle with vulnerability response processes compared with those organisations that weren’t breached:

  • 48% of EMEA organisations have experienced a data breach in the last two years, compared to 48% globally.
  • A majority of EMEA breach victims (54%) said that they were breached because of a vulnerability, for which a patch was already available.
  • 32% of EMEA security professionals were actually aware that they were vulnerable before they were breached.
  • EMEA organisations that avoided breaches rated themselves 29% higher on the ability to patch quickly (compared to 41% globally) than organisations that had been breached.
  • 40% of breach victims said they don’t scan for vulnerabilities.

“If you’re at sea taking on water, extra hands are helpful to bail,” van der Wilt said. “The study shows most organisations are looking for bailers and buckets instead of identifying the size and severity of the leak.”

Here are five key recommendations that provide organisations with a pragmatic roadmap to improve security posture:

  • Take an unbiased inventory of vulnerability response capabilities.
  • Accelerate time-to-benefit by tackling low-hanging fruit first.
  • Regain time lost coordinating by breaking down data barriers between security and IT.
  • Define and optimise end-to-end vulnerability response processes, and then automate as much as you can.
  • Retain talent by focusing on culture and environment.