Why doesn’t the extension of a security staff result in increased security, and what to do
Scientists and analysts of ServiceNow conducted a study and found that an increase in the staff of information security professionals does not always lead to an increase in the security of the company's infrastructure and networks. It turned out that the most important role in this is the automation of software updates.
Next, let's talk about the study in more detail and provide expert advice on the topic.
/ Flickr / Conor Lawless / CC
')
ServiceNow and Ponemon Institute conducted an online survey among 3 thousand cyber security experts. They represented companies with a staff of over a thousand people located in 9 countries: Australia, Germany, France, Japan, New Zealand, England, USA, Singapore and the Netherlands. The purpose of the study is to find out which processes in companies most affect security.
Survey results showed that 48% of companies have been subjected to cyber attacks in the last 2 years. At the same time, 57% of respondents stated that the attack was due to the vulnerability, which they discovered, but did not have time to close (although the patch was already available).
To more quickly respond to emerging threats, companies hire new employees: 64% of organizations plan to expand the staff of the information security department in the coming year. However, the company ServiceNow noted that this will not lead to increased security until the vulnerability mechanisms are modified.
In ServiceNow, this problem is called patching paradox or “security paradox”. Hiring information security specialists will not solve all difficulties, since in 61% of cases, information security departments coordinate the installation of all patches manually. On average, teams spend 321 hours per week on patching (which is approximately equal to the weekly work of eight full-time specialists). In this case, the closure of one vulnerability takes about 12 days.
In this case, staff expansion may further complicate coordination and interaction among staff. Now 55% of specialists already spend more time on the distribution of tasks within a team than on eliminating security threats. One company from the Fortune 100 even hires special workers, whose only duty is to manage spreadsheet documents with information about vulnerabilities: how to close it, which department is responsible, etc.
At the same time, organizations that are trying to hire new employees are faced with another problem - the lack of information security specialists. According to the site for job search Indeed, demand exceeds supply by several times.
For example, in the USA, for every 10 vacancies in the field of cyber security, there are 6.67 views (in Germany this figure is 3.50; in England - 3.16). This means that at least one third of vacancies are not viewed by anyone. According to forecasts of the audit organization ISACA, by 2019, 2 million cybersecurity positions will be empty.
And the situation will only worsen : by 2021, the number of vacancies will reach 3.5 million. The main reason for the lack of personnel in this area, Cybersecurity Ventures founder Steve Morgan calls the lack of appropriate personnel training.
This problem is trying to solve. For example , IBM employs workers without a four-year specialized education. In addition, various companies are trying to retrain employees, promote cybersecurity among students and the female half of IT staff, urging businesses to invest in information security.
However, so far all these measures are not working well enough to close the “gap” between vacancies and specialists who are ready to take them.
/ Flickr / Emery Way / CC
To solve the problem of lack of personnel and increase security, ServiceNow proposes to review the methods of ensuring protection. Sean Convery, vice president of ServiceNow, notes that most cyber attacks are due to the inability of companies to close all vulnerabilities on time.
Hackers gain in speed: at Barkly, a company engaged in the development of cyber defense, they calculated that it takes an average of two minutes to launch a phishing campaign, and it takes 256 days to detect a hack. The ServiceNow report also mentions that attackers are getting faster: according to 53% of respondents, the time between the release of a patch and the modified attack, bypassing it, has decreased by 29% over the past 2 years.
As noted above, most cyber attacks on company infrastructure (57%) could have been prevented, since a patch covering the vulnerability had already been released (recall the case of Equifax). Some companies updated the software manually and did not have time on time, while others (37%) did not scan IT systems for vulnerabilities regularly (for example, they forgot to scan the infrastructure again after applying the patch).
In order to help organizations resolve incidents and vulnerabilities faster, ServiceNow makes the following recommendations:
PS Materials from the First Corporate IaaS Blog:
PPS Additional reading from our blog on Habré:
Next, let's talk about the study in more detail and provide expert advice on the topic.
/ Flickr / Conor Lawless / CC
')
ServiceNow and Ponemon Institute conducted an online survey among 3 thousand cyber security experts. They represented companies with a staff of over a thousand people located in 9 countries: Australia, Germany, France, Japan, New Zealand, England, USA, Singapore and the Netherlands. The purpose of the study is to find out which processes in companies most affect security.
Survey results showed that 48% of companies have been subjected to cyber attacks in the last 2 years. At the same time, 57% of respondents stated that the attack was due to the vulnerability, which they discovered, but did not have time to close (although the patch was already available).
To more quickly respond to emerging threats, companies hire new employees: 64% of organizations plan to expand the staff of the information security department in the coming year. However, the company ServiceNow noted that this will not lead to increased security until the vulnerability mechanisms are modified.
Why state expansion does not solve the problem
In ServiceNow, this problem is called patching paradox or “security paradox”. Hiring information security specialists will not solve all difficulties, since in 61% of cases, information security departments coordinate the installation of all patches manually. On average, teams spend 321 hours per week on patching (which is approximately equal to the weekly work of eight full-time specialists). In this case, the closure of one vulnerability takes about 12 days.
In this case, staff expansion may further complicate coordination and interaction among staff. Now 55% of specialists already spend more time on the distribution of tasks within a team than on eliminating security threats. One company from the Fortune 100 even hires special workers, whose only duty is to manage spreadsheet documents with information about vulnerabilities: how to close it, which department is responsible, etc.
At the same time, organizations that are trying to hire new employees are faced with another problem - the lack of information security specialists. According to the site for job search Indeed, demand exceeds supply by several times.
For example, in the USA, for every 10 vacancies in the field of cyber security, there are 6.67 views (in Germany this figure is 3.50; in England - 3.16). This means that at least one third of vacancies are not viewed by anyone. According to forecasts of the audit organization ISACA, by 2019, 2 million cybersecurity positions will be empty.
And the situation will only worsen : by 2021, the number of vacancies will reach 3.5 million. The main reason for the lack of personnel in this area, Cybersecurity Ventures founder Steve Morgan calls the lack of appropriate personnel training.
This problem is trying to solve. For example , IBM employs workers without a four-year specialized education. In addition, various companies are trying to retrain employees, promote cybersecurity among students and the female half of IT staff, urging businesses to invest in information security.
However, so far all these measures are not working well enough to close the “gap” between vacancies and specialists who are ready to take them.
/ Flickr / Emery Way / CC
How to resolve the security paradox
To solve the problem of lack of personnel and increase security, ServiceNow proposes to review the methods of ensuring protection. Sean Convery, vice president of ServiceNow, notes that most cyber attacks are due to the inability of companies to close all vulnerabilities on time.
Hackers gain in speed: at Barkly, a company engaged in the development of cyber defense, they calculated that it takes an average of two minutes to launch a phishing campaign, and it takes 256 days to detect a hack. The ServiceNow report also mentions that attackers are getting faster: according to 53% of respondents, the time between the release of a patch and the modified attack, bypassing it, has decreased by 29% over the past 2 years.
As noted above, most cyber attacks on company infrastructure (57%) could have been prevented, since a patch covering the vulnerability had already been released (recall the case of Equifax). Some companies updated the software manually and did not have time on time, while others (37%) did not scan IT systems for vulnerabilities regularly (for example, they forgot to scan the infrastructure again after applying the patch).
In order to help organizations resolve incidents and vulnerabilities faster, ServiceNow makes the following recommendations:
- First you need to evaluate how the company implements the process of detecting vulnerabilities and eliminating them. And identify problem areas, such as lack of coordination between departments or the inability to monitor the life cycle of a vulnerability. A step-by-step algorithm for building a security risk assessment system is offered by CSO’s leading security specialist, George Viegas.
- You should not solve only major problems of information security. And although this advice looks pretty obvious, as noted by Trip Wire, a company that develops cybersecurity tools, many organizations have neglected it. Patching only “last minute vulnerabilities”, the company leaves many other, less noticeable possibilities for penetration into the system for attackers.
- It will not be superfluous to combine the work of IT and information security departments (for example, using Security Operations solution). This will help to prioritize patching. For example, the security department of the Freedom Security Alliance was able to speed up the vulnerability detection time by 40% due to close interaction with the client's IT department.
- You should pay attention to how exactly IB incidents are resolved at the enterprise, and then automate routine tasks (incident routing or tracking their status). This advice was used by the Australian company AMP, which allowed them to speed up the process of installing patches by 60%.
PS Materials from the First Corporate IaaS Blog:
- Cloud IT infrastructure: Features of international projects
- Fortinet Network Security Factory: Features and Specifications
- What refers to personal data from the point of view of the Russian regulator
PPS Additional reading from our blog on Habré:
Source: https://habr.com/ru/post/353968/
All Articles