Now more than ever, budgetary decisions and allocations are critical. When it comes to IT, with each team, department, and business unit convinced that its requirements are paramount, budgetary decisions must be based on quantifying, comparing, and prioritizing the business value to the enterprise. Management must ask itself to what extent does any given budget line contribute to greater cost reduction?
The purpose of this blog is to help quantify the direct and indirect ROI that companies can gain from adopting new, efficient vulnerability remediation processes and platforms that will in turn enhance the efficiency of their vulnerability management programs.
Unbearable Cost to Inefficient Vulnerability Remediation
On average, medium-to-large companies spent around 413 weekly hours on detection and remediation - the equivalent of around ten and a half full-time employees. Yet, despite this heavy investment, vulnerability management programs still don’t seem to hit the heights they could. Moreover, if these vulnerability management programs had been more efficient, many of these hours could have been diverted elsewhere, while resulting in greater risk reduction.
At the root of these inefficiencies lies the fact that current vulnerability management processes are largely manual. With the rise of vulnerability disclosures and the growing complexity of their remediation, the widespread manual processes are simply insufficient.
As shown in our most recent Business Case, in order to reduce the costs required to run vulnerability management programs, companies must focus on 3 key aspects:
- Pinpointing the vulnerabilities that pose the greater risk to the organization
- Promoting streamlined, collaborative remediation process
- Automate remediation processes to the greatest extent possible
Fewer Vulnerabilities to Remediate
When it comes to vulnerability management, handling the sheer volume of new vulnerabilities detected with every scan can seem like a great challenge. Now while attempting to remediate all vulnerabilities is incredibly expensive (and pretty much impossible), it is also unacceptable to overlook a vulnerability that poses a high risk to business-critical assets.
This is why many companies initially relied on CVSS scores to differentiate between the different vulnerabilities found in their system, focusing only on the high risk ones. Typically, this prioritization process would help identify ~15% of the new vulnerabilities as critical to remediate. The problem is, even 15% is a great deal to handle.
However, if the prioritization process were to be both automated and contextual, it would not only streamline manual processes, but achieve greater accuracy for the critical vulnerabilities that require remediation. Such a process would typically pinpoint automatically the ~2% of new vulnerabilities that are critical specifically to the company.
Optimizing vulnerability prioritization has two quantifiable benefits: automation of the largely manual prioritization process, and fewer vulnerabilities to remediate. Automated prioritization can save teams at least 90% of the FTE costs, with having fewer critical vulnerabilities to remediate saving teams up to 85% of the manual work required. These two benefits combined can represent an annual saving of around $543,000 a year for the average enterprise.
Faster Time to Remediation
Another pain point for many companies is the long remediation cycle. Many companies struggle with implementing efficient remediation programs, especially for those none-critical vulnerabilities that don’t require immediate attention.
On average, from initial identification to validation through a re-scan, it takes companies at least six months to remediate a client-side vulnerability and nine month to remediate a server-side vulnerability. A typical, straightforward remediation process, once initiated, takes about a month to complete. The more complex, or the higher the potential operational impact, the longer this we draw out as well.
Some key inefficiencies to these remediation process come about due to several factors:
- Multiple, cross-organizational teams are involved at different stages of the process, with many manual hand-offs.
- Teams are often siloed during long stretches of the process
- Other than service tickets, there is not single source of truth across which teams can collaborate
- Overall poor end-to-end visibility and control across the process
Adopting automated remediation has several benefits. First, a faster time-to-remediation on vulnerable assets reduces the risk of costly successful exploits. Though it’s hard to quantify that benefit, it still holds great value. Additionally, full vulnerability automation can reduce FTE costs by as much as 85%. Assuming that 75% of our FTE’s time is spent on remediation, adopting automated remediation could save companies around ~$1,018,000 a year.
Efficient Vulnerability Management Accelerates the Business
There are several direct and indirect cost reductions benefits to companies incorporating automation technologies and tools throughout the vulnerability management and remediation process. By spending less time on correlating peoples, people, and processes, teams can focus with greater clarity on their core operational and security issues, which in turn will have a significant impact on the business.