icetray - Fotolia

Security professionals admit patching is getting harder

Vulnerable systems need patching to avoid being attacked by security exploits, yet many businesses find it hard to apply patches quick enough

Security professionals admit their organisations are at a disadvantage because they use manual processes to patch vulnerable systems.

The ServiceNow sponsored research, Today’s state of vulnerability response: patch work demands attention from the Ponemon Institute, reported that 57% of security professionals acknowledge their organisation is at a disadvantage because of the reliance on manual processes to respond to vulnerabilities.

The Ponemon Institute’s survey found 56% of security professionals agreed that security professionals spend more time navigating manual processes than responding to vulnerabilities, which leads to an insurmountable response backlog, while 53% said attackers are outpacing enterprises with technology such as machine learning or artificial intelligence.

The research, based on surveying 3,000 security professionals across nine countries, reported that organisations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process.

Annually, organisations are spending 18,000 hours at a cost of $1.1m on patching activities.

However, the study found organisations are struggling to keep up with patching, with 57% of security professionals admitting the average time to patch before an exploit is in the wild has decreased by 30% in the past two years.

The Ponemon Institute reported that security professionals believe delays in vulnerability patching are primarily caused by not having a common view of applications and assets across security and IT teams (80%). On average, 11 days are lost coordinating with the responsible team before a patch is applied. Other obstacles are not having enough resources to keep up with the volume of patches (75%) and human error (67%).

Read more about patch management

  • How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?
  • Keeping your applications updated and patched is essential for company security. Patch management software can help you do that efficiently, but which one is best for you?

On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels, according to the Ponemon Institute.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Jason Sutton, vice-president for UK and Ireland at ServiceNow. “Automating routine processes and prioritising vulnerabilities will help organisations avoid the ‘patching paradox’, instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

Next Steps

Risk & Repeat: Vulnerability patching still falling short

Read more on Endpoint security