RSA And Infosec Surveys Reveal IT Departments Struggle With Vulnerability Management

Published 13th May 2008

...Poor Satisfaction Levels Reported for Both Audit Preparation and Patch Management, According to Survey Commissioned by Shavlik Technologies...

A new survey of IT professionals has today revealed that new regulatory compliance requirements - for implementing satisfactory technology solutions to address security vulnerabilities, data leakage and compliance - remain difficult for enterprise organisations to effectively achieve.

Shavlik Technologies, the market leader in delivering software solutions that rapidly accelerate and continuously improve security and compliance readiness, today announced results of its comprehensive survey of IT and security specialists conducted at both the RSA Conference 2008 and Infosecurity Europe 2008 events last month. The survey of 491 combined conference delegates from Europe and the U.S. identified their top security priorities and what solutions they may have implemented to manage the vulnerabilities that threaten their organisations.

According to the survey results, the top three priorities were: Data Protection / Leakage Prevention – 53.2 per cent; Internal Network Security – 51.8 per cent; and Policy and Regulatory Concerns – 43.8 per cent. Other significant priorities were patch management – 38.6 per cent and the security of virtualised machines – 32.6 per cent.

Delegates were also asked about the solutions implemented for audit preparation and patch management and whether they were satisfied with them. For audit preparation, only 60.8 per cent indicated that they were satisfied or highly satisfied which suggests that there are a significant proportion of organisations unhappy with their current solutions. Respondents were equally unhappy with patch management solutions with 40 per cent reporting they were unsatisfied with their current technology solution.

“Despite efforts to apply various technologies companies continue to struggle with efforts to manage and close vulnerability gaps, while concerns over regulatory compliance are driving them to look for more ways to simplify through automation,” said Mark Shavlik, CEO, Shavlik Technologies. “Generally, organisations struggle to manage their security and compliance needs which leaves them open to attack or the discovery of a weak link by an auditor. We’re working with customers to resolve these issues to their satisfaction.”

Three quarters of respondents, 75.7 per cent, confirmed they were either concerned or highly concerned over compliance with specific mandates such as PCI DSS, ISO 27002, or Sarbanes Oxley. They identified a broad range of solutions to manage the audit process—a total of 123, ranging from “home grown” to “a lot of systems” from various vendors. Many respondents indicated they continued with manual processes for elements of their patch management process, even though more than 115 different solutions for patch management were identified in the surveys.

“Companies are increasingly recognising the need to automate operations in order to streamline compliance as an ongoing business process. But too many organisations still don’t have a standard approach, which leaves gaps in their security infrastructure,” added Shavlik. “At Shavlik we feel it’s critical to educate customers on the importance of mature, best-of-breed solutions that simplify, automate, and provide better control over security and compliance management.”