The challenge with IT security today isn't just that the bad guys get more sophisticated with each passing year, it's that the number of people dedicated to maintaining security within the enterprise is either staying constant or shrinking at a time when the number of assets that needs to be defended is increasing.
This situation is creating increased problems for IT organizations of all sizes. A recent survey of 1,963 IT professionals conducted by eEye Digital Security, a provider of vulnerability assessment and management software, finds that 60 percent of professionals acknowledge having unpatched vulnerabilities in at least 25 percent of their applications.
The primary reason why this situation exists, according to the survey, is that IT organizations don't have enough people on hand to manage the task.
But eEye Digital CTO Marc Maiffert says that IT organizations need to come to grips with a new security reality. Rather than relying on unstructured manual processes for dealing with security issues, IT organizations need to start embracing frameworks that automate as much of the remediation process as possible.
Right now, the application environment that IT organizations are trying to secure is simply too fractured. Without some automated approach, IT organizations are counting on having the security expertise needed to manage each of those application environments on hand. Given the current state of the economy, the likelihood of that happening is minimal, says Maiffert.
And in a new era of zero-day attacks, the probability that security professionals can identify and remediate vulnerabilities before something bad happens to the organization is even more remote.
Unfortunately, resistance to automation in the ranks of security professionals has been building up for several years now, largely because there is a lack of trust caused by not being able to see into the security processes that are being automated. But as the scope of the problem continues to grow and more transparency comes to the automation process, Maiffert says that it's only a matter of time before automating the vulnerability identification and remediation process becomes the standard operating procedure.
After all, what limited security resources that IT organizations have in terms of people should be focused on a lot more challenging security issues than vulnerability management.