The cybersecurity elephant in the room that most organizations don’t really want to address is that a huge percentage of the systems still being used every day are indefensible.
A survey of 500 chief information security officers (CISOs) conducted by Vanson Bourne on behalf of Bromium, a provider of container software to provide higher levels of isolation between applications and the platforms they run on, finds organizations are now issuing patches on average five times per month. The report estimates that each patch requires 13 man hours to implement. The report also finds that more than half had to pay staff overtime or hire a third-party services firm at an average cost of $19,908 per patch. It’s little wonder that 53 percent of the CISOs describe crisis patch management as a major disruption to their IT and security teams.
Of course, nobody knows for sure how many of those patches are being applied to systems that are outdated. But a separate report issued this week by Bitsight Technologies, a provider of a framework for security ratings, suggests it’s a lot more than most organizations care to admit. An analysis of 35,000 companies that finds that over 8,500 organizations have more than 50 percent of their computers running an out-of-date version of an Internet browser. The report suggests that doubles the chances of experiencing a publicly disclosed breach. Over 2,000 organizations were found to be running more than 50 percent of their computers on outdated versions of an operating system. Bitsight reports those systems are almost three times as likely to experience a publicly disclosed breach.
There are lots of reasons organizations continue to run outdated systems, but none of them are good. Certainly, nobody in IT cares to maintain outdated systems. It’s usually a business executive that decides that either the cost of upgrading is too high or that an application that won’t run on a modern system is too critical. Of course, the not the justification for failing to upgrade or replace that application doesn’t include the cost of securing it or the impact a security breach might have on the business. In fact, an article published in the Harvard Business Review (HBR) this week that was penned by an expert in organizational behavior suggests that most business executives still think of cybersecurity as a problem to fix rather than an ongoing process to be managed. Given all the things the average business executive need to deal with every day, it’s easy to see how cybersecurity can either fall off the agenda or be assumed to be something that has been dealt with. Even when business executives do think about cybersecurity it’s all too often more of a conversation about levels of risk than it is about how to solve the actual problem.
Of course, this dysfunctional approach to cybersecurity does create a level of demand for cybersecurity expertise that can never be met. ISC², a nonprofit association for IT security professionals, published a report this week that forecasts that by 2022 there will be 1.8 million unfilled cybersecurity jobs. While that could be construed as good news for cybersecurity professionals as far as job security is concerned, it would also suggest not much progress will be made in terms of making the overall IT environment more secure.
Obviously, there will never be such a thing as perfect security. But it’s also clear there’s a lot of room for improvement. The real issue is that the conversation that needs to be had isn’t necessarily about cybersecurity. It’s about how IT gets managed or, as is too often in the case today, doesn’t get managed at all.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.