Financial sector takes up to 176 days to patch security flaws by Charles Oborne.
From the post:
The financial industry takes an average of 176 days to patch security problems, a new analysis of reported vulnerabilities reveals.
Cybersecurity threat prediction and remediation firm NopSec has released an analysis of over 65,000 security vulnerabilities recorded across two decades. The report, titled “2015 State of Vulnerability Risk Management,” reveals that key security issues and known vulnerabilities are being overlooked by the enterprise — and it takes far too long to patch problems as they surface.
The report analyzed over 65,000 vulnerabilities logged within the National Vulnerability Database, a US government repository of standards-based vulnerability management data which includes security related software flaws, misconfigurations, product names, and impact metrics.
…
Direct link to: 2015 State of Vulnerability Risk Management.
Digging into the report you will find this jewel:
Most alarming was the financial industry with over 30% of vulnerabilities taking more than a year to fix from the time they were detected.
This is another example of a report that lacks “business intelligence.” Let’s assume that we want to fix all vulnerabilities within 30 days of discovery. We could just adopt that as corporate policy but what would that take to become a corporate reality?
Among other things (this isn’t exhaustive), we need to discover if we need additional personnel for remediation (plus the payroll to pay them), the probable costs of software/training, etc. for remediation, the current costs that we incur without the additional personnel and expenses, etc.
It could take two years or more to fix some vulnerabilities but if the cost of fixing them exceeds the cost of having the vulnerability, can you guess which strategy most business leaders will choose?
Vulnerabilities don’t exist in a vacuum, separate and apart from all other enterprise activities and goals. Like you I would have them outrank other priorities but someone has to make sure the business turns a profit. Not simply is secure. Unprofitable and secure is a bad state.