Investing in substantial automation that enables agile and strategic business operations are vital to compete and grow in today’s digital landscape.
In this archived keynote session, Rachel Lockett, vice president of business technology solutions and operations at Surescripts, and Jason Kikta, CISO and senior vice president of product at Automox, discuss how organizations are utilizing automation to find value and regroup to meet challenges.
This segment was part of our live virtual event titled, “The CIO’s Guide to IT Automation in 2025: Enabling Innovation & Efficiency.” The event was presented by InformationWeek on February 6, 2025.
A transcript of the video follows below. Minor edits have been made for clarity.
Rachel Lockett: So, the outcomes and consequences of alert fatigue in all its different forms can be ignored alerts, slowed response times, and ultimately not reacting with urgency when something is due. They can also result in burnouts. Since joining the healthcare field, I have heard more now about provider burnout.
There have been news stories about alert fatigue resulting in things being missed and ignored that resulted in patient deaths. So again, let’s make a correlation to the technology field. What have you seen in your experience? What have been the direst consequences and costly mistakes that you’ve seen because of alert fatigue and lack of automation?
Jason Kikta: I think one of the best and easiest examples for people to orient on when they think about it, especially at the intersection of IT and security, are the number of vulnerabilities. So, this is the slide that you and I showed the audience when we met last year. This was the projection for the number of CVEs.
The number of security vulnerabilities in software was growing at an alarming rate and becoming a lot to process. We talked about this, and we said by the time we get to 2025 it’s going to be up to 32,000 a year, and it’s going to be bad. We had 28,000 in 2023, but then in 2024 we had 40,000! It totally blew out the curve.
Now, there is some nuance here, right? This is not necessarily a bad thing in terms of cybersecurity, because part of this is vendors have gotten better as well as security researchers. They’ve gotten better at finding these vulnerabilities, and vendors have become more disciplined in reporting these vulnerabilities.
So, there is some healthiness to those numbers being high, but it still doesn’t change the base condition. I spoke to a company late last year, and their security team was trying to manually read through every CVE that was released by every vendor and match it up with their environment to see if they had it somewhere in their tech stack.
Then, they would make a manual determination about how they were going to proceed. Were they going to patch it? If so, how quickly were they going to patch it? It was mind boggling. I thought to myself, how do you keep up? The gentleman I spoke to chuckled and said, well, we keep up poorly. Poorly is the answer.
RL: Right, because first, that’s intensive labor based on the cost involved. But how can you catch up on time? There’s going to be a delayed response because there’s just too much volume.
JK: Another great example is the National Vulnerability Database where they can’t even keep up. They are the ones charged with maintaining the global authoritative database, and they’ve had trouble keeping up. And this was as of last summer.
They don’t have newer numbers out, but their last announcement in November was that we’ve added a lot of external contractor support, and paid a lot of money to bring on this extra capacity. We are now keeping up with all the new ones, but we’re still behind in the backlog. We don’t have an effective way to burn that down.
These problems are not getting better, in fact, they’re getting worse on the demand side. So, we must fix the supplies, or maybe it’s backwards. Maybe it’s the supply side, right? The amount that needs to be dealt with is just going to keep rising, and the ability to keep up with it manually is going to be overwhelming. So, you must fix it through better automation and thinking through these processes more holistically.
RL: You brought up exactly what I wanted to talk about next. Again, always coming at these things from the human impact perspective. A common solution, which you just described, is to throw more people at the problem, right? Hire more contractors and let’s just keep throwing more people at the problem.
Things like rotating responsibilities between team members can help to reduce the impact of alert fatigue for a while, but it’s just not a sustainable long-term solution. There’s also another industry trend that’s making this harder and harder to do, and that’s the shortage of technology resources. We talked about this last summer.
What’s happened since then? Is the problem of scarce technology resources getting better? Is it getting worse? Is it remaining the same? Where are we at?