Compliance Mandates Tie Up Security Pros, eEye Reports

In a report on vulnerability-management trends, eEye discovered that, for many IT staffers, regulatory compliance initiatives can take up as much as half their work week.

Compliance mandates are eating up as much as half of the work week for many security pros, according to a survey from eEye Digital Security.

For its "2011 Vulnerability Management Trends Report," eEye surveyed 1,963 IT security pros. More than 85 percent of respondents have compliance mandates, such as the Payment Card Industry Data Security Standard (PCI DSS), to contend with. But perhaps most interesting is that half of those surveyed reported that compliance initiatives take up to 50 percent of their work week.

This includes configuring applications so they are in line with various internal and external regulations and making sure the organization is in line with the various compliance rules.

"The big thing I was hearing from a lot of folks is, number one, they feel like they are doing a lot of work [that just involves checking] a box, but they don't really know if this is going to truly help them from a security perspective at the end of the day," said Marc Maiffret, chief technology officer at eEye.

With the recent release of its Retina CS 2.0 Management Console, eEye has turned its gaze toward addressing this issue with a new Configuration Compliance and Regulatory Reporting Packs modules. The reporting packs feature compliance reports that map vulnerability and configuration audits to compliance mandates, while the configuration module can be used to define and manage security policies related to regulatory and internal benchmarks.

"We've very much simplified the task of making sure you have the proper configuration," Maiffret said.

The product also includes a new Patch Management module designed to provide automated and agentless Windows patch management, as well as the ability for users to integrate information from the other modules to prioritize patch management.

"The company's Patch Management module could likely become a key differentiator for eEye-especially within the midmarket," opined Andrew Hay, an analyst with the 451 Group. "We believe the ability to both identify and patch vulnerable systems will appeal to cash-strapped SMB [small to midsized business] customers that are looking for easy ways to relieve both security- and compliance-driven pain points. Tightly integrating patching into the company's flagship product serves to address these pains for a relatively low cost."

Still, organizations face other challenges that are not technology-driven. According to eEye's survey, 31 percent of respondents said that the leading cause of unpatched vulnerabilities in their organization is a lack of staff, something Hay said he believes actually represents the "bulk of the problems" around organizations failing to patch their systems efficiently-or at all.

"It may be a question of not having the time to download the patches or that the system is far too critical to take down to patch correctly," he said. "In organizations with small operational security and systems teams, patching sometimes falls to the bottom of the pile while [seemingly] larger fires are put out."

Maiffret said that company's goal is to ease the process of vulnerability management for its customers. He noted that 18 percent of the people said they were unable to get patching done because they lacked a vulnerability-scanning solution that was integrated into a patch-management engine. Another 16 percent said they were unable to scan or patch remote devices or distributed networks on a regularly.

"A lot of folks in IT I talk to feel like they just don't know what's out there anymore," he said.