Why new hires alone can’t solve your security troubles

Major data breaches are headline news. When criminals steal corporate data or personally identifiable information (PII), it can create a public relations nightmare with long-lasting business consequences. But well-publicized breaches are only the tip of the iceberg.

In “Today’s State of Vulnerability Response: Patch Work Demands Attention,” we explore how and why security breaches happen. Our study found that efficient vulnerability response processes are critical because timely patching is the single most important tactic companies employed in avoiding security breaches. Yet organizations struggle with patching because they use manual processes and can’t prioritize what needs to be patched first.

We call this confluence of trends the “patching paradox:” hiring more bodies alone does not equal better security. While security teams plan to hire more staffing resources for vulnerability response, they must equally focus on improving their security posture by addressing broken patching processes.

A Practical Look at the Cybersecurity Talent Shortage

Cybersecurity teams already dedicate a significant proportion of their resources to patching. And that number is set to rise. Our study found that organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing the vulnerability response process. On average, respondents plan to hire about four people dedicated to vulnerability response, an increase of 50% over today’s staffing levels.

Even though this will help address the issue, adding new security talent may not always be practical. According to ISACA, a global nonprofit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. Fierce competition for talent will challenge companies that are already struggling to avoid breaches. 

Job site Indeed reports that demand for cybersecurity talent far outstrips interest, with only 6.67 clicks for every 10 cybersecurity jobs posted in the U.S. – meaning that at least one-third of postings get no views at all. That number drops as low as 3.50 clicks in Germany and 3.16 clicks in the UK. Against this backdrop, organizations will find it extremely difficult to secure the resources they need.

Why Broken Processes Hurt

Our study found that hiring alone won’t solve vulnerability response challenges. Security teams lost an average of 12 days per vulnerability, manually coordinating patching activities across teams. A total of 65% say they find it difficult to prioritize what needs to be patched first. Additionally, it takes time to bring new hires up to speed on proper patching procedures.

In fact, 61% say that manual patching processes put them at a disadvantage. All this amounts to a majority (55%) spending more time navigating manual processes than responding to vulnerabilities.  One Fortune 100 company employs full-time staff whose sole responsibility is managing the spreadsheets used by different teams for vulnerability management and response. The Path Forward: Managed Services and Automation

Breach rates are already extraordinarily high, and emerging  artificial intelligence (AI)-fueled threats are likely to further increase the volume, speed and effectiveness of cyberattacks. Organizations can’t rely solely on hiring amid a talent shortage to get work done using today’s manual processes.

Luckily, there are solutions already in place to help with these challenges. Next-generation managed security services (MSSP) providers already have the talent and automated processes in place to handle typical patching tasks. This automated reduction in attack surface can quickly reduce the amount of time security teams spend on hygienic patching so that they can more effectively deal with critical organizational needs. Working with a MSSP can both diminish your vulnerability exposure and save your organization the valuable time it takes to train newcomers.

Sam Dillingham, Cognizant’s Associate Director of Managed Security Services Strategy, contributed to this blog.