Cybersecurity professionals find themselves trapped in an endless cycle of patching due to the relentless and rapidly evolving activities of cybercriminals. They are continuously working on enhancing the resilience of the systems they manage. For many organizations, the escalating level of risk is becoming unsustainable as the IT professionals responsible for safeguarding enterprise systems experience mounting frustration, which can ultimately lead to burnout.
Our smartphones and computers notify us of the need to install the latest updates, and computer networking hardware also needs regular software and firmware upgrades. This patching removes vulnerabilities that could otherwise lead to potential security incidents. A problem arises when cybersecurity experts face an avalanche of patches for various vulnerabilities, and currently this situation is worsening.
Organizations around the world now find themselves in an endless loop of massive vulnerability patching. Patches are issued so often that by the time a patch is issued for a discovered bug, a new risk has already appeared. “This endless, even chronic, cycle of vulnerability patches is contributing to apathy among many enterprises and cybersecurity professionals,” says Petr Kocmich, the Global Cyber Security Delivery Manager at Soitron. Their resignation to the situation may be caused by various factors; most often it is due to a shortage of staff, particularly of cybersecurity experts, in organizations.
The identified vulnerabilities are only the tip of the iceberg; they are only around 10% of the potential threats that are discovered, known, and being addressed. Also, software, hardware, and IT systems developers working on eliminating existing vulnerabilities may create new ones by unintentionally introducing new bugs in the code.
“Paradoxically, the deployment of the latest available updates by cybersecurity experts can often create more problems. While the majority of security patch installations can be automated effectively, there are additional processes necessary for upgrading and installing higher versions of individual systems and firmware.
“For instance, network element upgrades often require extensive testing and system downtime, as well as specific procedures, to switch over to a newly upgraded system functioning in high availability mode. These activities frequently cause frustration, and even instil a fear of system upgrades, as they don’t always maintain the stability and flawless performance claimed by vendors.
“This inconvenience holds true for nearly all modern products. The technology is becoming increasingly complex and, on top of that, in an effort to stay competitive, manufacturers sometimes incorporate unnecessary functions and integration elements, further complicating the code and escalating the risk of introducing errors.
“Automated testing conducted by the manufacturer in a simulated environment cannot possibly uncover all the errors that arise in specific configurations and complex real-world integrations. Consequently, this poses a significant risk to administrators and engineers, ultimately leading to burnout,”adds Kocmich.
Indeed, the commitment of professionals is decreasing significantly as they realize that organizations are more vulnerable.
This is a well-known reality for cybersecurity professionals. The speed and complexity of threats continue to increase, affecting privately-owned organizations as well as individuals and government entities. Cyber attackers are becoming more efficient, intelligent, and innovative, infiltrating computer systems at a pace that surpasses the ability of cybersecurity measures to respond.
As Kocmich states, “The cybersecurity industry will continue to play catch-up, reacting to current attack types and constantly chasing an elusive train with the attackers onboard; however, the positive news is that cybersecurity experts are not far behind. They are holding onto the boarding handrail of that train.” Recognizing this new reality, businesses must develop their own effective patch management policies, understanding that not all patches will benefit them. Deploying the wrong patches can lead to system outages or compatibility issues with other applications and systems.
“It is crucial to have a well-prepared and high-quality test environment that ideally mirrors the production environment (while acknowledging that this is neither easy nor inexpensive) to regularly and sufficiently test patches and upgrades,” adds Kocmich. One of the main contributors to a higher error rate is the accelerated release of many patches, including security-related ones as well as those implemented to keep up with the competition and offer similar features.
Although extensive testing, including penetration testing, is conducted before the release of patches and updates, it is impossible to guarantee their flawlessness. Having said that, implementing a proper testing methodology within your organization’s environment reduces the risk of your security team deploying a harmful patch.
Perhaps the uphill battle faced by cybersecurity experts is further complicated by a decline in optimism; this is why it is important not to give up and to continue the fight.
How can you balance this inherent disparity between hope and reality? It is vital to celebrate every small success, engage in continuous training (not just in cyber security), and rigorously monitor adherence to adequate and established processes. “Cybersecurity professionals should support each other by consistently and methodically expanding their knowledge and skills, actively contributing to the security community with their expertise and experience, and promoting security awareness,” says Kocmich.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.
