A new study sheds light on the frustrations faced by enterprise security professionals who struggle to remediate a seemingly endless stream of vulnerabilities and security challenges.
A survey conducted by NopSec asked nearly 200 information technology and security pros about their company's vulnerability remediation process. The study found that 45 percent of the respondents' companies continue to prioritize security vulnerabilities based on manual processes, asset classification, or Common Vulnerability Scoring System (CVSS). Created in 2005, the CVSS scoring system has faced ongoing challenges in the current cybersecurity environment.
Many of the study's participants seem to be plagued by data overload. While 70 percent of organizations scan for vulnerabilities at least weekly, they are unclear on next steps to push security issues forward through the right channels. 51 percent of participants surveyed said data overload was the biggest difficulty preventing their organization from addressing vulnerabilities. 46 percent said of pros a lack of resources were holding them back.
Perhaps the scope of cyber challenges extends beyond the realm of security professionals to solve without additional support from executive leadership. And yet, a staggering 60 percent of the survey participants said their organization's executives are “somewhat” or “not at all” informed about the risk posed to their business from today's security threats.
Notably, 24 percent of security professionals surveyed did not even know how security vulnerabilities are prioritized within their organization.
NopSec's Vice President of Strategy Kevin Ketts told SCMagazine.com that the number of executives who are unaware of the extent of the problem is “astounding,” considering all of the attention that breaches have received in the past year. “It's really a boardroom problem,” he said. “Executives need to take it seriously and fund it.”
This begs the question of why executive leadership has been slow to implement changes that would streamline the decision-making-process. Often, security professions and executive leadership are unable to speak a common language when it comes to addressing systemic enterprise risk challenges, Ketts said.
He noted that security professionals are not accustomed to communicating with C-suite decision makers in business terms. “I've found that the executive leadership seems to glaze over when pros speak in technical terms, Ketts said. “So the executive leadership doesn't take action.”