Vulnerability Management

Most organizations use a dedicated vulnerability management system for all security

Professional IT Programer Working in Data Center on Desktop Computer with Three Displays

A vulnerability management (VM) program helps organizations track the status of IT assets, prioritize vulnerabilities based on risk and exposure, ensure compliance, measure time to remediation, prevent the reintroduction of known vulnerabilities, and minimize the overall attack surface.

Such a program has become essential for most businesses today looking to keep up with the ever-expanding threat landscape and exploits caused by vulnerabilities.

CyberRisk Alliance (CRA) sought to better understand the status of vulnerability management programs at organizations across the public and private section. The data and insights from this recent report are based on an online survey conducted in April 2023 among 210 security and IT leaders and executives, practitioners, administrators, and compliance professionals in North America from CRA’s Business Intelligence research panel.

Here are some of the most important findings:

There’s no one way to manage vulnerabilities

Respondents showcase different methods for tracking vulnerabilities and coordinating security updates. For example, 54% use a dedicated VM system for all security, while 41% use separate workflows to track different types of vulnerabilities. Some employ an issue tracker, while others rely on manual communication to get the job done.

Click here to view the report — Vulnerability management: A maelstrom of moving targets

When it comes to types of vulnerabilities that are tracked, there’s nearly equal attention given to system software common vulnerabilities and exposures (CVEs), network device CVEs, and web application CVEs.

However, security teams pay less attention to web app vulnerabilities that are not publicly known or registered in the National Vulnerability Database (NVD) database. This tells us that respondents prioritize public databases containing the latest, verified CVEs.

Resourcing has become a universal challenge

Most frustration among security teams gets reserved for how funding and staff are allocated, as well as a perceived lack of automated capabilities to support vulnerability management.

“We don’t have the time, money or staff for these activities, and leadership is not supportive,” said one respondent.

While 50% of respondents said they get proper support from top management, that means close to half of organizations surveyed don’t get the full support they need for vulnerability management activities.

Legacy systems have prevented some from patching vulnerable technologies

For the most part, just 51% approve of how their organization has decommissioned old IT to ensure proper patch management. In addition to vulnerabilities, poor configuration of systems has multiplied false positives and alerts that some organizations struggle to stay on top of.

Failure to eliminate legacy IT could additionally get linked to levels of resourcing, which respondents often identified as a roadblock in their VM efforts. At least 1 in 4 respondents said vulnerability management activities aren’t nearly as automated as they could be, while a similar share believe their employer has failed to allocate enough staff and budget for VM activities in 2023.

Business planning and sound policies should be integral to VM

Respondents repeatedly mentioned pain points related to organizational growth, asset management, and getting buy-in from both upper management and end users.

As one respondent voiced: “Our organization has grown significantly in the last 3 years. With 40,000 colleagues and 13 organizations coming together, the process can be slow and different across each entity, which requires more time and resources to remediate.”

CRA recommends security teams follow the following four best practices for setting up a workable VM program:

  • Focus on the known vulnerabilities.
  • Educate the team on the need for a strong VM program.
  • Set realistic goals for what the team can accomplish. It’s not possible to patch everything.
  • Look for tools that raise visibility and automate how the team gets insights through data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.