Nearly three-quarters of IT security professionals (73 percent) surveyed say they prefer to buy technology and services from vendors who are proactive about security, including leveraging ethical hacking and having transparent communications about vulnerabilities. But less than half of vendors deliver.
The survey, conducted by Poneman Institute and commissioned by Intel, was intended to help get a better understanding of what drives security investment decision-making, according to the report. The Ponemon Institute surveyed 1,875 people across Africa, Europe, the Middle East, the U.K. and the U.S. who are involved in their organizations’ IT infrastructure and also familiar with purchasing processes for tech and services.
The survey shows a wide gap between what organization decision-makers expect in terms of security, and their vendors’ ability to meet those expectations. For instance, 66 percent of those surveyed said they prefer vendors to have the “ability to identify vulnerabilities in its own products and mitigate them.” Yet only 46 percent of those same respondents said their technology providers have that capability, the report said.
Thirty percent of those surveyed said they could patch a vulnerability in a week or less, but on average, it takes about six weeks to patch a bug from the time its first detected, with 63 percent saying delays are caused by “human error.”
But the rise in zero-day flaws, such as those recently found in software like Google Chrome or Microsoft Exchange, means these organizations could be left vulnerable to attack for weeks before a fix is put in place, depending on the vendor.
“Security doesn’t just happen,” Suzy Greenberg, vice president, Intel Product Assurance and Security said. “If you are not finding vulnerabilities, then you are not looking hard enough.”
Security Transparency
Transparency about security updates and vulnerabilities was also a big deal for enterprises, with 64 percent of respondents noting, “the ability to be transparent about security updates and mitigations that are available,” is “highly important.” Despite the need, only 48 percent of respondents say they’re getting this kind of communication, the report added.
“Organizations understand that security is critical and are looking for vendors that are transparent, mitigate vulnerabilities proactively and apply hacking practices to identify and address vulnerabilities in their own products,” Greenberg added.
Survey respondents also overwhelmingly agreed — 74 percent — that ethical hacking/bug-hunting to find vulnerabilities within products is “highly important,” the report said.
“Of all the capabilities represented in this research, the most important are the technology provider’s capability to apply ethical hacking practices in order to proactively identify and address vulnerabilities in its own products and to provide ongoing assurance and evidence that the components are operating in a known and trusted state,” the report said.
Other findings from the survey show that organizations are struggling to keep up with cybersecurity and are looking to vendors for help. At the same time budgets are tightening, with 45 percent of those surveyed saying their budgets were “less than adequate.”
These findings offer a snapshot inside evolving IT operations, where it is still not yet clear who owns the organization’s security risk. Twenty-one percent say it should be the CISO, 19 percent believe the CIO or CTRO should lead security efforts, and 17 percent think it’s the business-unit leaders who should take responsibility.
“The conclusion is that there is uncertainty in responsibility,” the report said.
This uncertainly could provide an opportunity for vendors who are willing to help struggling IT departments shoulder the cybersecurity burden.
“The key here is transparency,” Greenberg told Threatpost by email. “Organizations have an appetite for security assurance and evidence that components are operating in a known and trusted state. As an industry, we must not only assess risk, but ensure customers know when security updates are available to build trust. Our end goal is to take a transparent approach to security to protect customer workloads and improve software resilience, and we encourage our industry partners and competitors to follow suit.”