IT pros face ‘explosion of vulnerabilities’ right now

Unlike you and that high-school bully you’ve never quite forgiven, IT professionals know how to patch things up. They’re the ones who must repeatedly scramble to fix vulnerabilities in laptops, servers, databases, and any other network-facing devices that have a kernel of an operating system.

All this vulnerability management can be an exhausting responsibility—but it’s one that can potentially be relieved when IT managers reduce the scope of the colossal task, as well as recognize the teams’ efforts, according to industry experts who spoke to IT Brew.

Take just the category of applications. Some retailers require adjustments to Web and mobile apps on an almost daily basis, said Sonali Shah, chief product officer at the app-security provider Invicti Security.

“There’s that pressure, I would say, to continuously innovate,” Shah told IT Brew. “But at the same time, there’s this explosion of vulnerabilities.”

The U.S. government’s National Vulnerability Database (NVD), which features Common Vulnerabilities and Exposures, has a list of over 176,000 total entries. (Even the list for June alone looks like a lot.)

A 5 out of 100: Not as bad as you think

For a vulnerability management program to succeed, IT teams may have to find a way to narrow down the list of flaws—to not worry about scoring a perfect 100 necessarily.

Verifying that a patch has been deployed is an important aspect of vulnerability management—one potentially made less overwhelming when top priorities are defined and handled first.

“The reality is, if I hand you 100 [vulnerabilities], you’re going to look at me and say, ‘Yeah, I’ll get to it at some point,’” said Sophat Chev, chief advisor of security at IT service-management company ConvergeOne. “If I give you five, you’re probably more apt to go fix those five, right?”

Backlog and burnout

Prioritizing, patching, remediating, and reporting is an even tougher set of responsibilities when you’re also tasked with the usual IT assignments, like providing technical support, training employees, working with suppliers, and explaining that printer No. 2 isn’t working because nobody’s refilled the paper tray.

“There’s just so much stuff going on, so many alerts, so many notifications of suspicious or malicious activity, that it’s impossible to keep up with all of them,” said Ian McShane, VP of strategy at Arctic Wolf, a network-monitoring cybersecurity company. “It means that the backlog for a lot of work in cybersecurity just gets bigger and bigger every single day.”

To ease the minds of a vulnerability manager, executives perhaps need to find ways to make their IT teams feel seen and appreciated, to recognize efforts like Log4J remediation—the kind of fix that likely required many professionals to work over the weekend, said Shah.

Enterprises must shift to a mindset that recognizes the effort behind security, Shah told IT Brew, when “heroic efforts” are undertaken, where people are working long hours for multiple days to fix a problem like Log4J.

“It’s essential to celebrate group wins and accomplishments,” Shah said in a follow-up email. “Recognition is a great way to keep talented workers at your organization and can also help you find new leaders to promote from within.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.