ServiceNow Research Finds Security Response is Under Resourced in Singapore

68% of Singapore organizations plan to hire for vulnerability response over the next 12 months, yet more talent alone won’t solve the problem

ServiceNow has released new research, “Today’s State of Vulnerability Response: Patch Work Demands Attention,” based on a survey conducted with the Poneon Institute with nearly 3,000 security professionals around the globe, including 165 respondents from Singapore. The survey was carried out to understand the effectiveness of current vulnerability response processes which companies use to prioritize and remediate flaws in software that could serve as attack vectors.

Singapore was the second highest country that reported insufficient resources to keep up with the volume of patches (78 percent compared to 72 percent globally). Globally, organisations, including those in Singapore, plan to increase patching headcount by 50 percent in the next 12 months.

However, the report revealed security’s “patching paradox” – hiring more people does not equal better security. While security teams plan to hire more staffing resources for vulnerability response – and may need to do so – they will not improve their security posture if they do not fix broken patching processes. Firms struggle with patching because they use manual processes and cannot prioritize what needs to be patched first. The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said Mitch Young, VP and GM, APJ, ServiceNow.  “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

Globally, firms plan 50% headcount increase for vulnerability response

Cybersecurity teams already dedicate a significant proportion of their resources to patching. That number is set to rise:

• 68% of Singapore respondents say they plan to hire more dedicated resources for patching over the next 12 months, compared to 64% globally.
• On average, global respondents plan to hire about four people dedicated to vulnerability response – an increase of 50% over today’s staffing levels.

Hiring won’t solve the problem: teams struggle with broken processes

Adding cybersecurity talent may not be possible. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019.

The study found that hiring won’t solve the vulnerability response challenges facing Singapore organizations:

• 58 percent of Singapore respondents (compared to the global average of 53 percent) attributed the root cause of data breaches in their organization to human error
• Following closely were breaches caused by external criminal attack (57 percent, compared to 55 percent globally).
• Security teams in Singapore lost an average of 10 days manually coordinating patching activities across teams.
• 60% say that manual processes put them at a disadvantage when patching vulnerabilities, a sentiment echoed by global respondents (61%).
• Cyberattack volume increased by 14% last year (15% globally), and severity increased by 25% (23% globally).

“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” Young said.  “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”

Quickly detecting and patching vulnerabilities significantly reduces the breach risk

Organizations that were breached in the last two years struggled with vulnerability response processes compared to those organizations who weren’t:

• 45% of organizations in Singapore suffered a data breach in the last two years.
• Of these, 57% acknowledged they were breached because of a known vulnerability – a software security flaw for which a patch was already available.
• 32% of Singapore organizations were aware that they were vulnerable before they were breached, highlighting the overwhelming need effective vulnerability response to close down the attack vectors before hackers strike.

Broken processes can be overcome

Here are five key recommendations that provide organizations with a pragmatic roadmap to improve security posture:

• Take an unbiased inventory of vulnerability response capabilities.
• Accelerate time-to-benefit by tackling low-hanging fruit first.
• Regain time lost coordinating by breaking down data barriers between security and IT.
• Define and optimize end-to-end vulnerability response processes, and then automate as much as you can.
• Retain talent by focusing on culture and environment.

Additional Resources:

• Report: Today’s State of Vulnerability Response, Patch Work Demands Attention: https://www.servicenow.com/lpayr/ponemon-vulnerability-survey.html?cid=s:servicematters:12672
• Infographic: https://www.servicenow.com/content/dam/servicenow/documents/analyst-research/ponemon-state-of-vulnerability-response.pdf
• Blog: Survey: Hiring more talent alone won’t solve security’s woes: https://servicematters.servicenow.com/2018/04/05/survey-hiring-more-talent-alone-wont-solve-securitys-woes/
• Slideshare: Today’s State of Vulnerability Response, Patch Work Demands Attention: https://www.slideshare.net/servicenowdotcom/the-state-of-vulnerability-response-92819038
• For more on ServiceNow Security Operations, please visit this site.

Survey Methodology

ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 IT security professionals. Respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the United States, and represent organizations with more than 1,000 employees. The survey was administered online. Founded in 2002, the Ponemon Institute is a research center specializing in privacy, data protection, and information security policy.

About ServiceNow
ServiceNow makes work better across the enterprise. Getting simple stuff done at work can be easy, and getting complex multi‑step tasks completed can be painless. Our applications automate, predict, digitize and optimize business processes and tasks, across IT, customer service, security operations and HR service delivery, creating a better experience for your employees and customers while transforming your enterprise. ServiceNow (NYSE: NOW) is how work gets done. For more information, visit: www.servicenow.com.