OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

OpenSSL3 Critical vulnerability: How to fix CVE-2022-3602 and CVE-2022-3786 | Read here  >>

The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Product update: Group and deduplicate vulnerabilities with “Vulnerability Clusters” for efficient cyber risk management | Read here  >>

Perspectives

Vulnerability management 2022 - maturity, automation and more

Orani Amroussi | October 31, 2022

With remote work, cloud migration, and reliance on third-party software all playing a part, security teams are facing a multi-directional challenge to protect company data. While vulnerability management processes are growing more mature in 2022, many organizations continue to struggle with the sheer volume of information

Below are the highlights from the latest report, produced by Vulcan Cyber in partnership with SANS: Vulnerability management survey 2022. You can read it here.

(For a video format, watch the recent webinar and Q&A with CEO Yaniv Bar Dayan).

Security teams still responsible, but other departments are starting to take the lead

Security still plays the largest role in leading many VM functions, with the exception of remediation work such as patch and configuration management. Somewhat surprisingly, security’s responsibility has increased in those areas by more than 10% since last year’s survey.

vulnerability management 2022

While security’s responsibility may have increased overall, IT teams are taking the lead on aspects of VM like patch management. A key facet of any modern VM program is that non-security departments take the actions in the field for the part they play in the cyber risk mitigation process. Although the IT teams’ greater involvement in vulnerability management processes is a promising step in the right direction, it’s important that they work collaboratively with security teams, which retain overarching responsibility for reducing cyber risk. 

 

 

Maturity of patch, and configuration management capabilities showing improvement

In general, patch management and configuration management are maturing and headed in the right direction. Traditional infrastructure has seen the most significant increase in patching maturity, which makes sense since other asset types are typically not patched so much as updated. 

Especially in the case of containers, the improvement in configuration management maturity represents a growing commitment to leveraging automation and new technology to increase vulnerability management efficiency as cloud-native options continue to mature.

Organizations are increasingly turning to automation

Compared to last year, organizations are more mature when it comes to automated discovery or scanning for vulnerabilities, with improvements in this area seen across all environments, including a particularly impressive increase when it comes to the cloud.

vulnerability management 2022

Cloud vulnerability management maturity is increasing

As organizations grow more reliant on cloud environments, it makes sense that IT security teams are becoming more comfortable with vulnerability management programs in the cloud

In general, organizations are rating themselves much higher for their cloud vulnerability management capabilities than in 2021. With cloud usage set to grow even more in 2023, this is an encouraging sign.  

The bottom line

The trends we’ve seen in the past year are promising. Vulnerability management programs are maturing across the board, and we’re pleased to see improvements in cloud environments especially. As technologies change and attack surfaces emerge and grow, IT security practitioners must be proactive about managing the vulnerability management lifecycle. 

To dive deeper into this report, you can read it here. To learn more about the Vulcan Cyber take on these findings, you can watch our recent webinar and Q&A with CEO Yaniv Bar Dayan, or some highlights from the session: