Data breaches caused more often by known vulnerabilities; IT and security at odds
A new survey of more than 300 C-level executives, conducted by BMC and Forbes Insights, revealed that known vulnerabilities are the leading cause of exposure to data breaches rather than new or emerging threats. Why are known vulnerabilities still a threat? Surprisingly, the threats and breaches continue due to internal frictions over what should be done and in what order.
Conflicting priorities between security and operations teams is the leading obstacle to ending known vulnerabilities. Sixty percent of the executives surveyed said the IT operations and security teams have "only a general or a little understanding of each other's requirements." Even scarier, the survey uncovered that nearly half do not have a plan to improve communications and cooperation between the two groups.
"Today, it often takes companies months to remediate known vulnerabilities – exposing them to potential breaches for six months or more as they work to resolve known threats," said Bill Berutti, president of the cloud, data center and performance businesses at BMC, in the announcement of the survey findings.
"To discover, prioritize and fix vulnerabilities quickly calls for improved coordination between the security and IT operations teams. Narrowing the SecOps gap is critical to protecting an organization's brand and also ensures customer confidence in the ability for the business to protect its information."
Well, this is a discouraging state of affairs but at least it's something that organizations can fix. This report suggests you start with the following actions:
- Create cross-functional working groups to share security, compliance, and operational concerns plus build rapport and trust
- Redo work processes so that they are more collaborative and with the goal of eradicating conflict and friction
- Be careful not to allow obstacle inducing manual processes to continue, or to repeat the problem in moving processes to automation
To that, I would add: Set turn-around time goals and enforce them. At least on known vulnerabilities where fixes are available and the problem is mostly internal friction. Make sure both teams know they have a set amount of time to repair the problems to encourage faster action and joint responsibility for seeing it completed. In other words, stop the blame game!
- see this press release