Most IT experts are well aware of the need to patch vulnerabilities in their systems as soon as possible, but despite this, known security issues remain the leading cause of corporate data loss and production downtime in the enterprise.
That’s the biggest finding of BMC Software Inc.’s latest security survey, The Game Plan for Closing the SecondOps Gap, which was just posted today. The report, which was conducted by Forbes Insights on behalf of BMC and surveyed more than 300 C-level executives from U.S. and European firms, found that known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all such incidents.
That might come as a shock to many. After all, it’s generally assumed that IT and security teams are on the ball as soon as they become aware of potential security risks, but the fact remains that in many cases companies still take far too long to patch them. When pressed on these delays, 33 percent of executives revealed that the disparate priorities of IT and security teams mean the most urgent issues are not always fixed first.
BMC said the biggest cause of this disparity in priorities is that security and IT operations team’s goals are often out of sync. As such, outdated and poorly synchronized internal procedures that lead to delays in thwarting attacks are one of the biggest security risks for enterprises today.
As if to hammer that point home, a majority 60 percent of executives said IT and security teams generally have little or no understanding of the other team’s goals. Unfortunately, almost half of execs admitted there are no plans in place to improve coordination between the two teams.
“Today, it often takes companies months to remediate known vulnerabilities – exposing them to potential breaches for six months or more as they work to resolve known threats,” said Bill Berutti, president of cloud, data center and performance businesses at BMC.
In order to improve their ability at prioritizing and fixing vulnerabilities, Berutti urged enterprises to improve coordination between security and IT teams. “Narrowing the SecOps gap is critical to protecting and organization’s brand and also ensures customer confidence in the ability for the business to protect its information.”
BMC’s report goes on to make a number of recommendations on how to reduce this “SecOps gap” in the enterprise. For starters, it recommends that companies create cross-functional working groups responsible for sharing security, compliance and operational concerns. It also suggest developing collaborative workflow processes in order to smooth interactions between IT operations, security and compliance teams. Finally, it says that error-prone manual processes should be replaced with intelligent compliance and security platforms that automate the rollout and testing of security patches.
BMC’s recommendations were given the thumbs up from International Data Corp. analyst Chris Christiansen, who said that it’s time for companies to rethink their traditional, siloed approaches to IT security.
“CIOs must hold both security and IT operations groups accountable for identifying and fixing issues quickly and integrate security and IT operations activities to further protect their organization,” Christiansen said.