A big — and worrisome — disconnect in enterprise IT security

Enterprise IT security CSC Blogs

When it comes to keeping enterprise systems and data secure, application security takes top billing. No matter how tight and snug an enterprise keeps security controls, an attacker need only exploit a vulnerability in an app to slither on in and grab a foothold. This is why application security and configuration management form such an important baseline to avoid attacks.

Good application security, in addition to secure software development practices, requires good collaboration among security and operations teams. But a recent survey of IT and security professionals, conducted by the security firm Prevoty, found some sizable disconnects. Here are the top three:

Immediacy of Updates

Half of IT professionals update applications once a month, whereas half of security professionals feel they need to update applications at least once per day, if not multiple times a day.

Time-Consuming Updates of Security Toolsets

Security professionals spend the majority of their time tuning existing applications security technology, while IT professionals spend almost half of their time updating existing applications security technology.

Vulnerability Backlogs

Ninety-three percent of security professionals report having up to 5,000 vulnerabilities in their backlogs, and 44 percent of IT professionals report that they have NO vulnerability backlogs.

When I see results like this, the first thing I think is there’s a breakdown in communication somewhere. Attacks against Web applications remain common, yet the proper attention needed to ensure they’re reasonably secure doesn’t seem to be there. And if IT teams are updating apps as little as once a month — and nearly half of them think  they don’t have any vulnerability patching backlogs – something is awry. Either they aren’t taking security seriously, or they’re just not aware how risky a poorly configured and unpatched application can be.

Another issue here is how difficult security applications are to manage. If security teams are spending the vast majority of their time tuning apps, they certainly don’t have enough time to focus on more strategic efforts.

These types of organizational disconnects are precisely what efforts such as DevOps are supposed to help alleviate. Perhaps that’s the way forward out of this worrisome situation.


Is Apple’s App Store security overrated?

For enterprise workers, convenience trumps security

How IoT is challenging enterprise security


  1. In many cases it’s not that the systems maintenance people aren’t taking system and application security seriously, it’s that providers have a slow cadence for updates, even “critical” updates.

    For example, Oracle releases critical updates 4 times per year. Oracle has alerts for security fixes that can’t wait until the the quarterly packaging, but these aren’t all that often. There were two in 2015 and 2 so far in 2016.

    For development, for an app change, someone has to raise the issue for it to be queued. If the app is monolithic, which is pretty standard, then the proposed change, once designed, has to be reviewed by the usual zillions of affected groups, especially if there’s an associated database change needed.

    The usual work silos all constrain the ability of the enterprise to get things done faster. Whether app change for a security fix, day to day maintenance, enhancements, or retiring technical debt–all are hostage to the sluggish enterprise workflow.


  2. geohulme says:

    Thanks for your comment. When it comes to vendor release cycles, I think it would be unreasonable for one to consider the team to be “beyond” on a patch that hasn’t been released. I don’t believe that is what this survey is discussing. It’s discussing identify vulnerabilities through assessments.

    Slow workflow is open a part of it, and why I cited DevOps.

    But there’s an obvious miscommunication, and lack of understanding, if security teams believe they are behind by X and operations teams believe something different. It should be up to security teams to help qualify and communicate the risks to the rest of the enterprise, and inform operation teams and others accordingly. This is where the disconnect comes in.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: