A relentless pace of vulnerability discoveries and disclosures imposes a cyclical patching process on cybersecurity professionals that has proven unsustainable for most organizations.
The situation is going from bad to worse.
“We’re in this endless loop of massive vulnerability patches, and it seems like we’re deploying vulnerabilities faster than we’re deploying patches for vulnerabilities,” Ed said. SkoudisPresident of the SANS Technology Institute.
This chronic cycle of vulnerability, fix, vulnerability, fix, even nausea contributes to apathy and heightened awareness of lack of resources among many companies and cybersecurity practitioners.
The known vulnerabilities are akin to an iceberg showing only about 10% of its mass above sea level – these are the vulnerabilities the industry knows about and continues to work on, he said. he declares.
Meanwhile, software and system vendors continue to add vulnerabilities to the remaining 90% that lurk underwater. “We deploy more issues than we deploy fixes for them, and that can lead to cybersecurity burnout,” Skoudis said.
Despite some overall gains, morale is down, especially among professionals who realize organizations are more vulnerable than a decade ago, Skoudis said.
The perpetual state of defense breeds apathy
Cybersecurity has improved dramatically in absolute terms, but businesses and the effectiveness of cybersecurity as a practice still lag. This apparent contradiction comes as no surprise to anyone who pays attention to the pace and scale of the threats that every individual, company or government entity faces.
“[Attackers] are becoming more powerful, smarter, more creative and deeper into our systems at a rate that is growing faster than our cybersecurity capabilities,” Skoudis said.
As new vulnerabilities are discovered and new patches are required, organizations should create a system to apply patches in a defined and repeatable manner.
The need for an urgent and committed response to patching vulnerabilities makes it a full-time job, and more likely a team of IT professionals in large organizations who are responsible for testing and deployment, said Jen Miller -Osborn, Deputy Director of Threat Intelligence at Palo Alto Networks Unit 42.
Maintain a positive mindset
Facing an unbalanced battle from a position of weakness, such as that in which cybersecurity practitioners operate, makes it all the more difficult to sustain optimism. Skoudis finds a way and says it’s essential to keep fighting.
But how to compensate for this undeniable imbalance between hope and reality? Celebrating successes, training and mentoring future cybersecurity talent, and consistent practice in a lab will go a long way in this regard, he said.
Cybersecurity professionals can hold themselves accountable by developing their skills and doing it regularly and methodically, Skoudis said. “I’m not thrown into this sea of vulnerabilities,” he said. “I am learning to apply cybersecurity in a practical way.