Previously detected security vulnerabilities are the leading cause of exposure to data breaches and cyber threats, often in organizations inhibited by conflicting goals and responsibilities between security and IT operation, according to a report released today by BMC and Forbes Insights.
“Everyone talks about needing to figure out how to deal with the everyday vulnerabilities,” said Brian Downing, senior director of Product Management at BMC. “But the reality is a huge number of the breaches you hear about are exploiting older vulnerabilities that have never been addressed.”
The survey of 304 executives from a range of industries in North America and Europe found that 44% of security breaches occur after vulnerabilities and their remediation are discovered.
“The root of the problem is that it takes far too long to fix a vulnerability once a patch becomes available,” said David Cramer, BMC’s vice president of Product Management. “We see a gap after the threat has been identified, and that’s often because there's a big operational challenge as it relates to not just finding the security issues but tracking them, fixing them, and managing them from the whole life cycle perspective.”
Out of sync
Why does the gap exist? One-third of executives say it is a challenge to prioritize which systems to fix first because the security and operations teams often have different priorities.
“The individual goals of these two groups are often out of sync,” said Cramer. “Outdated and poorly synchronized internal procedures can often thwart efforts to quickly defend against known threats.”
Of the executives surveyed, 60% said that IT operations and security teams often have little understanding of each other’s requirements.
“You have the operations guys trying to do everything they can to try to prevent change and the security folks trying to change everything they can,” said Downing. “It makes sense therefore that the vulnerabilities don’t get fixed quickly because you have one person finding them and the other person responsible for fixing them. The organization is only protected once that cycle is closed.”
Cramer and Downing say the growing misalignment and lack of coordination between IT operations and security teams can result in it taking more than six months to fix a known vulnerability, exposing enterprises to unnecessary security risks, data loss and downtime.
See Also: 4 enterprise technology trends for the second half of 2016
Putting a plan in place
The BMC/Forbes report also found that nearly half of those surveyed do not have a plan in place for improving coordination between the security and IT operations groups.
“The impacts are huge, but very few people have been doing much about it,” said Downing. “About half of the people we talked to said they recognize the problem, they understand the consequences, but they don't have a plan to fix it quite yet.”
BMC says enterprises should prepare a “game plan” to help integrate security and IT operations groups for stronger security and compliance, brand protection and customer confidence in those enterprises’ ability to protect their information.
BMC suggests the following:
- Revise internal reporting structures and job descriptions to better align security and IT operations.
- Create cross-functional working groups to share security, compliance, and operational concerns while implementing regular meetings to build loyalty and trust.
- Develop collaborative workflow processes that smooth interactions of security, IT operations and compliance personnel.
- Replace error-prone manual processes with intelligent compliance and security platforms that automate the testing and rollout of security patches and provide centralized information management tools.
Forcing teams to change what they have done during the past decade will not work, according to Downing.
“Transpose the views of the different teams and get them to see things from the other’s perspective,” Downing said. “We have them look at how to take the security data in the form it’s in and convert it to operational data and vice versa.”
