81% of CIOs & CISOs delaying security patches to ensure uninterrupted business operations

News by Jay Jay

CISOs are delaying the adoption of important security updates and patches to ensure uninterrupted business growth iwith a quarter certain their organisations aren't compliant with data security legislation.

Considering that operational efficiency is the main focus for a business looking to grow and expand, it is essential for IT teams to ensure that technology remains an enabler for business growth rather than be a persistent noose around the neck.

To achieve this, despite facing the dual challenge of meeting a multitude of cyber threats and ensuring enhanced productivity of their businesses via the adoption of cloud, web applications, and AI, a vast majority of CIOs and CISOs at organisations are opting for the latter and delaying the adoption of important security updates and patches to ensure uninterrupted business growth.

According to Tanium's Global Resilience Gap study that includes feedback from CIOs and CISOs at organisations based in the United States, the UK, Germany, France, and Japan, as many as 94 percent of IT security executives are making compromises when protecting their organisations from disruptions to technology, including cyber-threats and outages.

This is because IT security professionals, including CIOs and CISOs, are finding it extremely hard to maintain complete visibility over their endpoints, containers and servers, are struggling to secure business units that function as independent silos, and lack the skills required to accurately detect cyber-breaches in real-time.

In fact, the lack of visibility is so stark that over 80 percent of CIOs and CISOs said that they found critical updates or patches they thought had been deployed had not actually updated all devices, leaving the business exposed as a result.

While 34 percent of CIOs and CISOs said that they were struggling to adapt to their organisations' growing complexity, 33 percent admitted that hackers were more sophisticated than their own IT teams, and 24 percent said poor visibility over endpoints prevented them from securing their organisations from cyber-attacks.

Along with facing these challenges, IT security teams also have to ensure that they are enablers of business efficiency and are not stiffling growth. As a result, 81 percent of CIOs and CISOs have postponed important security updates to enterprise systems due to concerns about the impact they might have on business operations. Over half of them (52 percent) have done so more than once to keep the operations guys happy.

A couple of other reasons why CIOs and CISOs are being forced to compromise on timely security patches is that firstly, other business units do not grasp how important technology resilience
is to the company and secondly, business units prioritise their customer work over security protocols. These factors clearly indicate that CISOs are still not allowed to call the shots even though US organisations are reported to be losing US$ 700 billion (£535 billion) every year to IT downtime.

"Organisations should understand that compromising on security may be a cost-effective choice in the short term, but could lead to much more serious business disruptions than those caused by maintaining a consistent patching routine," said Paul Norris, senior systems engineer EMEA at Tripwire to SC Magazine UK.

"Identifying the risks across the IT systems allows organisations to pinpoint the vulnerabilities that leave it exposed to the biggest threats. Those should be patched prioritising those that, after a thorough risk assessment, result in having the highest potential impact and ease of exploit.

"With cyber-defence, getting the basics right counts for a lot and the majority of successful attacks can be prevented with foundational security controls, like ensuring systems are securely configured and managing and patching vulnerabilities," he added.

Because of their inability to patch IT systems with the latest updates, CIOs and CISOs, who are the primary custodians of data that their organisations store and process, fear that their organisations may lose customer data as a result of such compromises and a quarter of them are certain of the fact that their organisations are not compliant with current data security legislation.

"As organisations look to build a strong security and compliance culture, it is essential that IT operations and security teams unite around a common set of actionable data for true visibility and control over all of their computing devices. This will enable them to prevent, adapt and rapidly respond in real-time to any technical disruption or cyber-threat," Tanium said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop