What makes enterprises more efficient at patching vulnerabilities?
The companies most effectively managing security vulnerabilities are those using a patch tool, relying on risk-based prioritization tools, and having multiple, specialized remediation teams that focus on specific sectors of a technology stack.
A new report from cyber risk specialist Kenna Security, produced in conjunction with the Cyentia Institute, reveals that businesses with mature, well-funded vulnerability management programs are more likely to patch vulnerabilities faster.
However, this doesn't necessarily mean the companies patch the riskiest vulnerabilities first. Companies using the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities for remediation tend to be slower in patching high-risk vulnerabilities. Also those focused on compliance tend to struggle to patch all high-risk vulnerabilities across their organization.
"This research shows what companies with high-performing vulnerability management programs are doing right," says Ed Bellis, CTO at Kenna Security. "One factor stands above all others: companies that orient their programs around real-world threat information perform better than those that don't. The report also shows that compliance-based prioritization and CVSS standards for threat scoring negatively impact the ability to identify and patch the threats that matter most."
Among other findings only 47 percent of respondents think their vulnerability management budget is about right, with 39 percent saying it was less than ideal and nine percent believing it inadequate.
When asked about the complexity of addressing vulnerabilities, most respondents are in the middle, with just 10 percent rating it very complex and only six percent very simple.
The full report is available from the Kenna site.