A global survey of more than 504 CIOs and CISOs finds 81% of respondents admit they have refrained from implementing an important security update or patch because of concerns about the impact those updates or patches might have on business operations. More than half of the respondents (52%) said they have made this decision on more than one occasion.
Potentially even more disturbing, 80% of CIOs and CISOs have discovered that a critical update or patch they thought had been deployed had in fact not actually updated all devices affected by a potential vulnerability.
The survey, which was conducted by Tanium, a provider of endpoint management tools, illustrates the nature of the Hobbesian Choice dilemma IT leaders face every day: The rate at which patches that address critical vulnerabilities are being issued continues to exponentially increase. But any one of those patches could greatly impact the availability of applications that depend on a service being available within the application that needs to be patched. In an ideal world, IT organizations would have plenty of time to test the downstream impact of any given patch. Unfortunately, however, the time between when a vulnerability is disclosed and when cybercriminals start exploiting that vulnerability becomes narrower with each passing day.
A full 94% of survey respondents said that they regularly need to make compromises when trying to protect their organizations from disruptions. Reasons for making those compromises span everything from pressure to keep the lights on (33%) and the need to implement new systems (31%) to being hamstrung by legacy systems (26%) and internal politics (21%). Nearly half (47%) of the CIOs and CISOs surveyed (47%) said they face challenges because other business units do not grasp how important technology resilience is to the company, while 40% said issues arise as other business units prioritize their customer work over security protocols.
Chris Hallenbeck, CISO for the Americas at Tanium, said the survey highlight how critical it has become for IT leaders to regain control over the software development life cycle. In most cases, that will require transitioning to more modern application architectures based on microservices constructed using containers. While that may require new security tools, containerized applications are much easier to update when compared to patching a monolithic legacy application, he noted, adding those applications also tend to be more resilient because it becomes easier to isolate malware infestations. At the same time, Hallenbeck said most organizations would be well-advised to rationalize the number of cybersecurity tools they have in place to increase overall visibility.
Being an IT leader in this era is a significant challenge. Most IT leaders are not really in a position to slow or even halt the rate at which new applications are being developed. In most cases, their role has become to minimize the level of risk associated with deploying those applications in a production environment. But as more applications get deployed, the size of the attack surface that needs to be defended increases steadily. That expansion inevitably lowers the odds IT leaders will be able to successfully defend organizations from cybercriminals who only need to find one weakness to exploit. Of course, while it’s still important to protect those assets as much as possible, the real test of leadership these days comes down to how well any IT team can limit the impact of a breach once it occurs.