The majority of IT departments are underestimating the maturity of their vulnerability remediation programs by a wide margin, according to a study from Vulcan Cyber. The company said it was surprised that most organizations think that they are much further along in their work in patching known vulnerabilities yet they have barely begun the work required. “What caught us off guard was that the vast majority of respondents felt their programs were already mature,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan. “Given the amount of breaches caused by known, unpatched vulnerabilities, we discovered a surprising disconnect that merits a closer look.” The study asked 100 computer security and IT executives about how they manage vulnerability remediation. It found that 84% reported having “mature” remediation programs. But on further questioning they were found to have only completed very basic tasks and were many stages away from a “mature” program. Most had completed these basic activities: vulnerability scanning (72%); use of remediation tools (49%); and prioritization of vulnerabilities (44%). But these tasks were less mature: collaborative remediation (48%); automated remediation (48%); and business alignment around cyber objectives (31%).
More information: https://www.
It’s not surprising to find that IT organisations have a disconnect between their perception of patch maturity and the reality of the software running within their organisations. While many businesses likely have a mature patch management strategy around servers and corporate-owned desktops and laptops, these represent a fraction of the software running in a business. Further, if the patch management strategy employed presumes that patches will originate from a commercial software vendor, then that strategy likely doesn’t account for the increasing level of open-source software powering modern business operations. This is of course before software associated with embedded software running enterprise IoT solutions such as security cameras. A comprehensive patch management solution needs to include a complete inventory of all software, independent of its origin or role. Once armed with that inventory, then a patch policy can be created for each item. Only at that point can the patch process be considered reasonably mature as it is impossible to patch software you don’t know you’re running.