Most risk-based vulnerability management programs are ineffective

Orani Amroussi | December 16, 2021

Latest research shows IT security teams are not doing enough to correlate vulnerability data with actual business risk leaving organizations exposed.

TEL AVIV, Israel — December 16, 2021 According to a Vulcan Cyber survey of more than 200 enterprise IT and security executives conducted by Pulse, 86% of respondents rely on third-party vulnerability severity data to prioritize vulnerabilities with an additional 70% relying on third-party threat intelligence. This trend underscores the status quo in many cyber security organizations today in which many teams over-rely on metrics from third-party sources that lack the necessary context to understand and actually reduce risk specific to the enterprise. 

“While IT security teams work hard to defend the modern enterprise, it’s clear that traditional threat intelligence and metrics like vulnerability severity scores are incapable of generating the business-specific insight necessary for comprehensive protection,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, “Cybersecurity teams need the insights, processes, and tooling to prioritize risk for the assets that matter most to their business success.”

The Vulcan Cyber survey also found that the majority of respondents group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). Risk prioritization associated exclusively with infrastructure and application groupings is not meaningful without asset context.

“Risk without business context is irrelevant. A CISO doesn’t care about the risk posture of a server and database used by janitorial services to manage paper towel inventory levels. But if the exact same server had thousands of customers’ personally identifiable information on it, that would constitute an entirely different and significantly more severe level of cyber risk,” Bar-Dayan continued

Key findings include:

  • 70% of respondents agree that many vulnerabilities that they prioritize rank higher than they should for their environments 
  • 71% of respondents depend on CVSS for prioritization
  • 54% of respondents are most concerned about sensitive data exposure
  • 62% cited MS14-068 (Microsoft Kerberos unprivileged user accounts) as the most concerning vulnerability

Some important home truths about risk-based vulnerability management

We know that security professionals need the tools and resources to prioritize risk according to business context. For most organizations, these are lacking.

But IT security organizations are also being lazy about how they prioritize their vulnerabilities. They take information like vulnerability severity and threat intelligence from third party sources and try to make it applicable to their own environment, not going the extra mile to make it relevant.

There’s a reason for this. Time is a major factor, with custom risk scoring requiring extra effort. There’s also the issue of resources – teams take the info that is available and do things based on prior practices, even if they have proved to be ineffective over time. Risk scoring is thus inadequate and does not take into account business context. 

Read the full press release: Vulcan Cyber Survey Finds Most Risk-based Vulnerability Management Programs to be Ineffective

For all the insights from the recent Vulcan Cyber survey on risk-based vulnerability prioritization and management, download the whitepaper, How are Cyber Security Teams Prioritizing Vulnerability Risk?

Separately, we covered some of the best free open-source tools for risk assessment and mitigation: 

Manage Your Cyber Risk Now

To see Vulcan Cyber in action, please request a demo or try Remedy Cloud today. In addition, Vulcan Free is now available as the industry’s only free vulnerability prioritization tool. Try Vulcan Free today.

About Vulcan Cyber

Vulcan Cyber® breaks down organizational cyber risk into measurable, manageable processes to help security teams go beyond their scan data and actually reduce risk. With powerful prioritization, orchestration and mitigation capabilities, the Vulcan Cyber risk management SaaS platform provides clear solutions to help manage risk effectively. Vulcan enhances teams’ existing cyber environments by connecting with all the tools they already use, supporting every stage of the cyber security lifecycle across cloud, IT and application attack surfaces. The unique capability of the Vulcan Cyber platform has garnered Vulcan recognition as a 2019 Gartner Cool Vendor and as a 2020 RSA Conference Innovation Sandbox finalist. 

Media contact:

Dex Polizzi

Lumina Communications on behalf of Vulcan Cyber

[email protected]    

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy