IT Leaders Grossly Overestimate the Maturity of Their Vulnerability Management Programs

  • 84% of companies say their vulnerability management is efficient
  • Researchers find a significant disconnect between perception and reality
  • Organizations must update and automate remediation processes

Most companies place a lot of trust in their vulnerability management programs, with 84% of IT leaders rating them as “mature.” However, a deeper dive into the state of vulnerability management at various companies reveals a major disconnect between that perception and reality.

The vast majority of businesses say their vulnerability management programs are mature. Still, given the number of breaches stemming from unpatched vulnerabilities, Vulcan Cyber researchers believed these disparate results warranted a closer look.

Tapping the C-suite for insight

The firm surveyed more than 100 security and IT leaders about the current state of vulnerability management at their companies and compared the results to their vulnerability remediation maturity benchmark. The company worked with the social research platform Pulse to tap into a vast pool of CIOs, CISOs, and other tech leaders, to survey the readiness of enterprise vulnerability management programs.

Some key findings emerged from the survey, chief among them: 84% of respondents felt their programs were mature, but a deeper dive cast doubt on those beliefs.

The most mature elements of enterprise vulnerability management programs are vulnerability scanning (72%), followed by the effective use of vulnerability remediation tools (49%) and vulnerability prioritization (44%).

At the other end of the spectrum, the least-mature elements are orchestrated, collaborative remediation (48%), continuous, automated remediation (48%), and business alignment around cyber hygiene objectives (31%).

89% of security and IT teams say they spend at least some time collaborating with cross-functional teams to remediate vulnerabilities. 42% spend “a lot” or “too much” (7%) time every week working with other groups. And 83% of companies that said they spend too much time collaborating with other teams have 500-1,000 employees.

Half of IT and security teams share responsibility for key remediation functions (identifying vulnerabilities, prioritization, crafting remediation strategies, deploying patches and remedies, etc.). Researchers believe this is an opportunity to facilitate more effective and efficient collaboration by clearly defining the division of labor.

Automation is key

According to Bar-Dayan, co-founder and CEO of Vulcan Cyber, organizations must update and automate their remediation processes to fend off sophisticated attacks leveraging unpatched vulnerabilities or system misconfigurations.

“It’s a heavy undertaking, but one that transforms vulnerability management programs into a powerful lever for shrinking security debt and strengthening the company’s security posture,” said Bar-Dayan.

A recent study by the Ponemon Institute found that four in 10 organizations had suffered a breach due to unpatched vulnerabilities in the past two years. 60% of respondents said the most dangerous vulnerabilities continue to expose their organizations to the risk of a breach while their security teams chase down false positives and trivial threats. The report states that false positives will not go away if practitioners are not appropriately incentivized.

Indeed, automated patch management is instrumental to an organization’s cybersecurity stack. Unpatched systems leave organizations susceptible to data breaches. As we’ve previously noted, if they are to do their job well, IT reps must have the means to zero in on misconfigurations, vulnerable applications, user behavior risks, individual devices and users, and close these gaps quickly and efficiently. Equipping IT reps with the proper tools to work their magic supports not just their efforts, but the organization’s overall business objectives as well.