Study shows known security vulnerabilities are leading cause of data breaches

BMC Software have released results from a security survey of more than 300 C-level executives revealing that known vulnerabilities are the leading cause of exposure to data breaches and cyber threats.

The report, conducted in association with Forbes Insights, also confirms a significant gap between the security and IT operations teams, which is contributing to unnecessary data loss, production downtime, and potential reputation damage.

The survey revealed that 44 percent of security breaches occur even when vulnerabilities and their remediations have previously been identified. Simply stated, it takes far too long to fix a vulnerability once a patch becomes available. When asked why, 33 percent of executives stated it was challenging to prioritize which systems to fix first, since the security and operations teams may have different priorities.

While the joint efforts of security and IT operations ultimately determine an enterprise’s security strength, the individual goals of these two groups are often out of sync. The biggest areas of risk for an enterprise are outdated and poorly synchronized internal procedures that thwart efforts to quickly defend against known threats.

When asked about the challenges faced by IT and security, 60 percent of executives surveyed said the IT operations and security teams have only a general or a little understanding of each other’s requirements. Yet, nearly half don’t have a plan in place for improving the coordination between these two groups.

“Today, it often takes companies months to remediate known vulnerabilities – exposing them to potential breaches for six months or more as they work to resolve known threats,” said Bill Berutti, president of the cloud, data center and performance businesses at BMC. “To discover, prioritize and fix vulnerabilities quickly calls for improved coordination between the security and IT operations teams. Narrowing the SecOps gap is critical to protecting an organization’s brand and also ensures customer confidence in the ability for the business to protect its information.”

As companies prepare for 2016, CIOs need a plan to address the SecOps gap. The report recommends a number of actions, including:

– Create cross-functional working groups to share security, compliance, and operational concerns while implementing regular meetings to build loyalty and trust.

– Develop collaborative workflow processes that smooth interactions of security, IT operations and compliance personnel.

– Replace error-prone manual processes with intelligent compliance and security platforms that automate the testing and rollout of security patches and provide centralized information management tools.

“Given the number of information security vulnerabilities that exist in the world today, security and IT operations can benefit tremendously from tighter collaboration and more efficient workflow,” said Michael Allen, chief information security officer at Morningstar, Inc. “Closing the SecOps gap and implementing an integrated approach to automate information security processes greatly improved data security at Morningstar.”

“In light of increasingly sophisticated threats, it is time to rethink the traditional, departmentalized, siloed approach to security,” said Chris Christiansen, program vice president, Security Products and Services at IDC. “CIOs must hold both security and IT operations groups accountable for identifying and fixing issues quickly and integrate security and IT operations activities to further protect their organizations.”

The data in the report is derived from a survey of 304 executives from a range of industries in North America and Europe, conducted by Forbes Insights in fall 2015. Half were located in North America and half in Europe. All respondents were from companies with at least $100 million in annual revenue; 27 percent were from companies with revenue between $1 billion and $5 billion; 23 percent had revenue of $5 billion or more.

Read the full The Game Plan for Closing the SecOps Gap report here.