Why the expansion of the IS state does not lead to increased security, and what to do about it

    Scientists and ServiceNow analysts conducted a study and found that an increase in the staff of information security specialists does not always lead to increased security of the company's infrastructure and networks. It turned out that the most important role in this is played by the automation of software updates.

    Next, let's talk about the study in more detail and give expert advice on the topic. / Flickr / Conor Lawless / CC ServiceNow and the Ponemon Institute conducted an online survey among 3,000 cybersecurity professionals. They represented companies with more than a thousand employees located in 9 countries: Australia, Germany, France, Japan, New Zealand, England, the USA, Singapore and the Netherlands. The purpose of the study is to find out which processes in companies have the greatest impact on security.

    The survey showed that 48% of companies have been exposed to cyber attacks in the last 2 years. At the same time, 57% of respondents said that the attack was due to a vulnerability that they discovered, but did not manage to close (although the patch was already available).

    To quickly respond to emerging threats, companies are hiring new employees: 64% of organizations plan to expand the staff of the information security department in the coming year. However, ServiceNow notes that this will not lead to increased security until the mechanisms for eliminating vulnerabilities are modified.

    Why state expansion does not solve the problem

    In ServiceNow, this problem is called patching paradox or the "security paradox." Hiring information security specialists will not solve all the difficulties, since in 61% of cases, information security departments coordinate the installation of all patches manually. On average, teams spend 321 hours a week patching (which is approximately equal to the weekly work of eight full-time specialists). At the same time, it takes about 12 days to close one vulnerability.

    In this case, the expansion of staff can further complicate the coordination and interaction between employees. Now 55% of specialists already spend more time on the distribution of tasks within the team than on eliminating security threats. One Fortune 100 company even hiresspecial employees whose sole duty is to manage spreadsheet documents with information about vulnerabilities: how it is closed, which department is responsible, etc.

    At the same time, organizations that are trying to hire new employees face another problem - a lack of information security specialists. According to Indeed's job search site, demand exceeds supply by several times.

    For example, in the USA for every 10 vacancies in the field of cybersecurity there are 6.67 views (in Germany this figure is 3.50; in England - 3.16). This means that at least a third of the vacancies are not viewed at all. According to the forecasts of the audit organization ISACA, by 2019, 2 million positions in the field of cybersecurity will be empty.

    And the situation is onlyworse : by 2021 the number of vacancies will reach 3.5 million. The main reason for the lack of staff in this area, the founder of Cybersecurity Ventures, Steve Morgan, calls the lack of appropriate staff training.

    They are trying to solve this problem. For example , IBM hires workers without a four-year specialized education. In addition, various companies are trying to retrain employees, popularize the cybersecurity sphere among students and the female half of IT personnel, and urge enterprises to invest in information security.

    However, so far all these measures are not working well.to reduce the "gap" between vacant places and specialists who are ready to occupy them.

    / Flickr / emery way / cc

    How to resolve the security paradox

    To solve the problem of staff shortages and increase security, ServiceNow proposes to revise the methods of providing security. Sean Convery, vice president of ServiceNow, notes that most cyber attacks come from companies' inability to close all vulnerabilities on time.

    Hackers win in speed: at Barkly, a cyber defense company, they calculated that it takes an average of a couple of minutes to launch a phishing campaign, and it takes 256 days to detect a hack. The ServiceNow report also mentions that attackers are becoming faster: according to 53% of respondents, the time between the release of a patch and a modified attack bypassing it has decreased by 29% over the past 2 years.

    As noted above, most cyber attacks on company infrastructure (57%) could have been prevented, since a patch covering the vulnerability had already been released (remember the Equifax case ). Some companies updated the software manually and did not have time on time, while others (37%) did not regularly scan IT systems for vulnerabilities on a regular basis (for example, they forgot to scan the infrastructure again after applying the patch).

    In order to help organizations resolve incidents and vulnerabilities faster, ServiceNow provides the following recommendations:

    1. First, you need to evaluate how the company implements processes for detecting vulnerabilities and eliminating them. And identify problem areas, for example, lack of coordination between departments or inability to track the life cycle of a vulnerability. A step-by-step algorithm for constructing a security risk assessment system is proposed by George Viegas, a leading information security specialist at CSO.
    2. You should not solve only major IS problems. And although this advice seems pretty obvious, as Trip Wire, a cyber security company that develops , notes , many organizations neglect it. Patching only “burning vulnerabilities”, the company leaves attackers with many other, less noticeable opportunities for penetrating the system.
    3. It will be useful to combine the work of IT and information security departments (for example, using the Security Operations solution ). This will help to better prioritize when patching. For example, the information security department of the Freedom Security Alliance was able to accelerate vulnerability detection by 40% due to close interaction with the client’s IT department.
    4. It is worth paying attention to how exactly IB incidents are resolved at the enterprise, and then automate routine tasks (routing incidents or tracking their status). This advice was taken by the Australian company AMP, which allowed them to speed up the installation process of patches by 60%.

    PS Materials from the First Corporate IaaS Blog:

    PPS Additional reading from our blog on Habré:

    Also popular now: