Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Today's State of Vulnerability Response: Patch Work Requires Attention

114 views

Published on

In this study by Ponemon Research Institute and ServiceNow, learn more about today's state of vulnerability response.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Today's State of Vulnerability Response: Patch Work Requires Attention

  1. 1. Today’s State of Vulnerability Response: Patch Work Requires Attention Senior Director, Product Marketing, Security and Risk ServiceNow May 15, 2018 Piero DePaoli
  2. 2. 2 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Agenda and summary Methodology Three key findings: • Security teams are overwhelmed and want to hire more people • The Patching Paradox: broken processes means more people does not equal more security • Single most important factor in reducing risk of breach Recommendations
  3. 3. 3 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Methodology January 31- February 19 COUNTRIES SURVEYED RESPONDENTS United States 595 United Kingdom 387 Germany 453 France 369 Netherlands 340 Australia/New Zealand 220 Singapore 165 Japan 394 TOTAL 2,923 2,923 IT Security Professionals Margin of Error: 4.51% ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 IT security professionals. Respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the United States, and represent companies with more than 1,000 employees.
  4. 4. 4 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Publicized data breaches are just the top of the iceberg of organizations had one or more data breaches in the last two years48% cost for a data breach involving as little as 10,000 records*$2.8M *Source: Ponemon 2017 Cost of Data Breach Study
  5. 5. 5 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Unpatched vulnerabilities are a leading cause of breaches 57% 34% A known vulnerability is a software security flaw for which a patch is available of breach victims were breached due to a vulnerability for which a patch was available of breach victims knew they were vulnerable before they were breached
  6. 6. 6 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Security teams respond by trying to hire more resources plan to hire additional dedicated resources for patching in the next 12 months respondents’ hiring plans represent a 50% headcount increase in the next 12 months 50%64%
  7. 7. 7 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. But hiring isn’t practical global shortage of cybersecurity professionals by 2019* 2MILLION of cybersecurity jobs don’t receive a single view online** 33% * Source: ISACA, 2016 ** Source: Indeed, 2017
  8. 8. 8 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. …or effective No easy way to track whether vulnerabilities are being patched 62% No common view of assets and applications across security and IT 73% Things slip through the cracks because emails and spreadsheets are used to manage the patching process 57% SECURITY’S PATCHING PARADOX: Hiring more people does not equal better security =++
  9. 9. 9 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Processes and siloed tools delay the patching Time lost coordinating patching across teams per vulnerability 12DAYS
  10. 10. 10 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Detecting vulnerabilities: the scanning gap Scanning for vulnerabilities using a vulnerability scanner is a basic IT security hygiene activity. But … of breach victims don’t scan for vulnerabilities 37%
  11. 11. 11 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Scanning reduces breach risk by 20% BREACH RATE Does Scan Doesn’t Scan 0% 10% 20% 30% 40% 50% 60% 56% 45% reduce breach risk by 20% by scanning for vulnerabilities
  12. 12. 12 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. How organizations avoid being breached Organizations that aren’t breached are better at*: • Detecting vulnerabilities • Patching vulnerabilities in a timely manner THOSE THAT WEREN’T BREACHED RATED THEMSELVES 41% HIGHER ON PATCHING IN A TIMELY MANNER 41% CAPABILITY GAP Ability to detect vulnerabilities Ability to patch vulnerabilities 5.98 7.10 5.70 7.02 Breached Not Breached 4 5 6 7 8 9
  13. 13. 13 © 2018 ServiceNow, Inc. All Rights Reserved. Confidential. Broken process can be overcome 1 Take an unbiased inventory of vulnerability response capabilities 2 Tackle low-hanging fruit first, including vulnerability scanning 3 Break down data silos between security and IT 5 Retain talent by creating a high-performance culture Five recommendations for vulnerability response success 4 Optimize vulnerability response processes, then automate them
  14. 14. Piero DePaoli piero.depaoli@servicenow.com @pierodepaoli Questions?
  15. 15. Piero DePaoli piero.depaoli@servicenow.com @pierodepaoli Thank you!

×