Although IT security teams plan to hire more staffing resources to address vulnerability response (the process companies use to prioritize and remediate flaws in software which could serve as attack vectors), it won’t improve IT security unless the team also fixes broken patching processes, according to a new report. This, the report continues, is security’s “patching paradox”—hiring more people does not equal better security. The issue is that organizations struggle with software patching because they use manual processes and can’t prioritize which vulnerability must be patched first, the report explains.


ServiceNow’s report is based on the findings of a survey by Ponemon Institute of nearly 3,000 IT security professionals in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the UK and the U.S. to understand the effectiveness of their company’s vulnerability response tools and processes. “Today’s State of Vulnerability Response: Patch Work Demands Attention,” explains that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies use to prevent cyber breaches.


The survey found that organizations which were breached struggle with vulnerability response processes compared with those organizations that weren’t breached. For example, 48 percent of the surveyed organizations experienced a data breach in the last two years, and a majority of breach victims (57 percent) said they were breached because of a vulnerability for which a patch was already available. I was surprised to read that 34 percent of the respondents said the company was actually aware of a vulnerability before it was breached, and 37 percent  of breach victims said the company doesn’t scan for vulnerabilities.


IT security teams already dedicate a significant proportion of their resources to patching. For instance, organizations spend 321 hours a week on average–the equivalent of about eight full-time employees–managing the vulnerability response process. They also plan to invest in additional staff for vulnerability response: 64 percent of respondents say they plan to hire more dedicated resources for patching over the next 12 months.


Interestingly, the report notes that hiring alone won’t solve the vulnerability response challenges organizations face because the process itself is unwieldly. For instance, 65 percent of respondents said they find it difficult to prioritize what needs to be patched first, 61 percent say that manual processes put them at a disadvantage when patching vulnerabilities, and 54 percent say that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence. At the same time, cyberattack volume increased by 15 percent last year, and severity increased by 23 percent, respondents said.


“If you’re at sea and taking on water, extra hands are helpful to bail,” says Sean Convery, vice president and general manager, ServiceNow Security and Risk. “The study shows most organizations are looking for bailers and buckets instead of identifying the size and severity of the leak. Automating routine processes and prioritizing vulnerabilities will help organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”


Convery adds that there are five key recommendations which provide organizations with a pragmatic roadmap to improve cybersecurity. They are:

  • Take an unbiased inventory of vulnerability response capabilities,
  • Accelerate time-to-benefit by tackling low-hanging fruit first,
  • Regain time lost coordinating by breaking down data barriers between security and IT,
  • Define and optimize end-to-end vulnerability response processes, and then automate as much as possible, and
  • Retain talent by focusing on culture and environment.


What are your thoughts on vulnerability response processes? Is it difficult to prioritize patches?