It was Benjamin Franklin who once wisely quipped, “Nothing is certain except death and taxes.” I would add data breaches to that list. The number of data breaches continues to rise. The Office of the Australia Information Commissioner (OAIC) reported over 262 in the last quarter of 2018. As breaches increase, so too does the number of skilled personnel required to protect Australian organisations from today’s threats.
Organisations are facing a serious shortage of cyber resources and talent. A report from AustCyber estimates that Australia needs to train 18,000 more people by 2026 to fight the cybersecurity threats and is going to fall far short of that target with demand outstripping supply. What is the effect of this dearth of talent? A recent report by the Ponemon Institute on behalf of Tenable found that 58% of respondents indicated that shortages in skilled staff affect their ability to scan vulnerabilities in a timely manner, and 51% are bogged down by manual processes and insurmountable backlogs. The sheer volume of vulnerability data is overwhelming. Security teams are so busy reacting to alerts that there’s no time to proactively improve security and identify existing compromises before they become massive data breaches.
No time like the present
The government has stood up and taken note of the skills shortage and how it’s leaving organisations vulnerable to targeted attacks. In the recent Federal Budget, it announced $41.7 million over four years to be dedicated to a pilot of skills organisations across the country. Organisations would develop training packages for skills in high demand, including ICT and cybersecurity, and would help to foster links with industry. The government's pledge to train the next generation of digital warriors is much welcomed but training and development takes time and the threat landscape is in constant evolution.
Australian businesses can’t afford to stand still. Our Vulnerability Intelligence Report revealed an enterprise uncovers an average of 870 vulnerabilities per day across 960 assets. And of those, more than 100 vulnerabilities are rated as critical. On a daily basis, security teams are swamped and unable to identify which vulnerabilities pose the greatest threat to the business. They must look beyond traditional vulnerability prioritisation efforts, such as Common Vulnerability Scoring System, which lacks the granularity to provide an accurate measure of criticality.
Prioritise the big bad 3%
With an insufficient picture of the vulnerability landscape and a scarcity of resources, how can organisations adequately identify vulnerabilities and assess cyber risk? Given this landscape, prioritisation has become the key challenge for security professionals – it’s what sets apart mature IT organisations, and provides the competitive edge to effectively mitigate risk in today’s era of digital transformation.
For most vulnerabilities, a working exploit is never developed and of those, an even smaller subset is actively weaponised by threat actors, making it difficult to understand which vulnerabilities to remediate first. Predictive Prioritisation enables organisations to cut through the noise, allowing them to focus on mitigating the 3% of vulnerabilities which pose the greatest business risk. Using actionable insights, security teams can prioritise remediation efforts to find the most dangerous needles in their haystack of vulnerabilities. An effective, risk-centric prioritisation plan can reduce the number of critical and high vulnerabilities that organisations need to patch.
Faced with an expanding attack surface and a shortfall in the cybersecurity workforce, prioritisation will help Australian organisations answer foundational questions about where they’re exposed and what vulnerabilities to prioritise for remediation based on the threat landscape -- two questions which are critical for achieving Cyber Exposure.