Utilizing Automation to Alleviate Alert Fatigue, Workforce Shortages, and MoreUtilizing Automation to Alleviate Alert Fatigue, Workforce Shortages, and More
This session explores strategies to address the growing volume of vulnerabilities and associated challenges of alert fatigue and resource shortages through safe automation.
As common vulnerabilities and exposures (CVE) in software continue to rise for modern enterprises, alert fatigue is only one of several challenges for IT teams to consider. Exhaustion and alert fatigue paired with looming talent shortages create a sinister combination that continues to wear down and limit the effectiveness of security teams.
In this archived keynote session, Rachel Lockett, author and former CIO of Pohlad Companies, and Jason Kikta, CISO and SVP of product of Automox, reveal ways to harness the power of safe automation technologies to strategically address the growing volume of vulnerabilities and associated challenges of alert fatigue and resource shortages.
This segment was part of our live webinar titled, “The CIO's Guide to Automation to Solve Workplace Shortages, Alert Fatigue, and More.” The event was presented by information on August 14, 2024.
A transcript of the video follows below. Minor edits have been made for clarity.
Rachel Lockett: Let's talk about this diagram and the one we have coming up next. Both slides illustrate the problem that we have with alerts, and these are legitimate alerts that we need to see. It shows the growing volume of alerts and how they contribute to fatigue. Tell us a little about this diagram here.
Jason Kikta: Yeah, absolutely. So, this shows a projection built last year of CVEs. These are vulnerabilities in software packages that need to be dealt with by customers. And as you can see, from 2015 up through 2023, there was a massive uptick.
Now, there is a little bit of nuance here. This doesn't necessarily mean that software is getting less secure. In fact, it almost certainly means that we are getting better as an industry at identifying and understanding the importance of these vulnerabilities.
In 2015, I would say pound for pound, most software was less secure than it was in 2023, absolutely. But people are finding these and realizing the importance of them.
They're producing patches for them, and it does not change the bottom line of this equation, which is IT teams need to patch these vulnerabilities or change configuration to deal with them.
That volume continues to rise and it's massive. It's funny, because it had predicted when the slide was made, that in 2025 we would reach 32,000 CVEs. Well, now we have an entirely new wrinkle that began in January of this year, and as you'll see on the next slide, we're a little bit off the map.
So, what happened with these vulnerabilities is vendors produce these, and they send them off to NIST, the National Institute for Science and Technology in Washington, D.C. They run NVD, the National Vulnerability Database.
They analyze these, and some of them require modification, some of them get rejected, and that becomes your true count of the CVEs that must be addressed each year.
Well, they have been chronically under-resourced, and it sounds like some people probably left because they were tired of being chronically under-resourced. As a result, they have a backlog of CVEs that haven't even been analyzed.
So, we have no official count globally, right? This is the authoritative database for the world, and no one has an official count of how many CVEs that we have had this year.
As of July, we were up to 16,000 and that backlog is projected to trend upward. Fortress, a cybersecurity company, did an analysis recently and it's projected to hit 30,000 by year end, which is astounding.
So not only might we hit 30,000 and be ahead of that projection, but we don't even know if those are all CVEs, or if some need to be rejected or modified. We are completely off the map this year. So, on the one hand, it's a good trend.
Vendors are taking CVEs more seriously. They are being aggressive with it and running bug bounty programs, and generally doing the things that they should. But it is a real problem for the rest of us to track, analyze, and build policies and strategies to get those patches done.
RL: Absolutely, and you know there is a common solution to that problem being discussed. I have read so many articles on this topic saying that one of the top pieces of advice is to do rotating of responsibilities.
It’s to throw more people at the problem and rotate different people in so a fresh set of eyes can be looking at it. These are eyes that are not fatigued by the alerts and can deal with these things and address them appropriately.
But the problem is that it's dependent upon having more resources, and I say more bodies to throw at the problem. It can't just be warm bodies though -- it must be skilled resources.
So, that's not a sustainable long-term solution in and of itself. And then you add to that the fact that we have this other industry trend that's making that even harder to do if it were a sustainable solution. That trend is the shortage of technology resources, which you just mentioned, and even the resources to be able to analyze these incoming reports.
So, I have a few details or statistics here about the workforce shortage, according to Gartner. A couple years ago in 2022, 50% of tech vacancies had been open for six months or longer, and of course they expected that trend to continue, and I believe it has.
Also, 58% of IT workers say they're suffering from job burnout, and 89% of those say that they want to quit. So, there is that high turnover caused by the burnout that we're talking about.
About the Author
You May Also Like