One of my favourite cult classic movies was an obscure, but star studded picture called Mars Attacks. In the movie, Jack Nicholson plays the President of the United States trying to make peace with the vicious Martians. In his final scene, he makes an impassioned speech to the Martian leader with his final line being “why can’t we all just get along?” The Martian leader’s response was a tear and an “Ack-Ack,” followed by killing President Jack.
This scene is all too often paralleled in real life, with the opposing roles played by Security and IT. While they may not vaporize each other, they do operate under diametrically opposed missions. Security’s job is to keep the company safe – full stop. If they had their way, access to systems would be very tightly controlled and an almost weekly patching routine would be implemented, slowing the enterprise to a crawl. IT on the other hand is tasked with keeping the company up and running. They view patching as a necessary evil that consumes precious time and resources that they could focus on more innovative projects.Unfortunately, recent high profile cybersecurity threats have brought the importance of patching known vulnerabilities to the forefront and have exposed just how big of a challenge both security and IT face. While industry metrics vary widely, the average time known vulnerabilities remain unpatched is over 180 days. In a recent discussion with a cybersecurity executive at a leading utility company, he estimated that it was actually a bit higher at 187 days, and shared that they have an ongoing project to reduce that number to 90 days over the next year. While that would be an impressive improvement, that still leaves the organization exposed to known vulnerabilities for over three months – ample time for cyberthreats to wreak havoc.
He went on to say that one of his biggest challenges was prioritizing known vulnerabilities, having his colleagues in IT Operations acknowledge their ranking, and then allocating scarce resources to patching the at-risk assets. One of the fundamental challenges he faces is aggregating all of his threat and vulnerability information into a central location and then presenting it in a format that IT Operations can integrate and consume in their ITSM and ITOM tools. While he recognized there are also a number of fundamental cultural and cross-silo process challenges to overcome, he felt that integrating this information would go a long way to improving the problem.