Major data breaches are headline news. When criminals steal corporate data or personally identifiable information (PII), it can create a public relations nightmare with long-lasting business consequences. But well-publicized breaches are only the tip of the iceberg.

With the help of the Ponemon Institute, we surveyed nearly 3,000 cybersecurity professionals and 64% plan to hire for vulnerability response in the next 12 months. But more talent alone won’t improve security.

In “Today’s State of Vulnerability Response: Patch Work Demands Attention,” we explore how and why breaches happen. The study found that efficient vulnerability response processes are critical because timely patching is the single most important tactic companies employed in avoiding security breaches. Yet organizations struggle with patching because they use manual processes and can’t prioritize what needs to be patched first.

We’re calling this confluence of trends the “patching paradox” – hiring more people alone does not equal better security. While security teams plan to hire more staffing resources for vulnerability response – and may need to do so – they won’t improve their security posture if they don’t fix broken patching processes first.

A practical look at the cybersecurity talent shortage

Cybersecurity teams already dedicate a significant proportion of their resources to patching. And that number is set to rise. Organizations spend 321 hours a week on average – the equivalent of about eight full-time employees – managing t

he vulnerability response process. On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response, an increase of 50% over today’s staffing levels.

But adding cybersecurity talent may not be practical. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019.

Job site Indeed reports that demand for cybersecurity talent far outstrips interest, with only 6.67 clicks for every 10 cybersecurity jobs posted in the US – meaning that at least one-third of postings get no views at all. That number drops as low as 3.50 clicks in Germany and 3.16 clicks in the UK. Against this backdrop, organizations will find it extremely difficult to secure the resources they need.

Why broken processes hurt

Even if organizations can find talent, the study found that hiring alone won’t solve their vulnerability response challenges. Security teams lost an average of 12 days per vulnerability manually coordinating patching activities across teams. 65% say they find it difficult to prioritize what needs to be patched first.

61% say that manual processes put them at a disadvantage when patching vulnerabilities. All this amounts to a majority (55%) spending more time navigating manual processes than responding to vulnerabilities.  A shocking example of this is that one of our team members met with a Fortune 100 company who employs full-time staff whose sole responsibility is managing the spreadsheets used by different teams for vulnerability management and response.

The path forward: automation

The time to act is now. Breach rates are already extraordinarily high, and emerging AI-fueled threats are likely to increase the volume, speed, and effectiveness of cyberattacks even further. Organizations can’t rely solely on hiring amidst a talent shortage to get work done using the manual processes they use today.

The good news is that these barriers are not insurmountable. By automating routine processes and taking care of basic hygiene items, security teams can significantly reduce the risk of a breach. This doesn’t mean automating everything related to vulnerabilities and patching end-to-end.  Instead, creating a structured process for vulnerability response gives security teams the opportunity to look for repetitive tasks within that process that are ripe for automation. With a pragmatic roadmap, better results are within reach of any organization, offering hope for a more secure future.

Download the report: “Today’s State of Vulnerability Response: Patch Work Demands Attention.”