70% of Security Professionals Say Their Company's Vulnerability Management Program is Somewhat Effective or Worse
The report surveyed 426 security professionals to better understand organizational vulnerability management and gain some insights into their day-to-day challenges, frustrations, and priorities.
Unremediated vulnerabilities are open doors that let malicious actors walk right through. Today, security teams are challenged enough by finding and shutting those open doors to keep their organization safe. Keeping track of those vulnerabilities and responding quickly and efficiently is one challenge—finding openings they might not even know about is another.
"The future of vulnerability management is risk-based. Yet I often see that, without a risk-based approach to prioritizing the ever-growing list of vulnerabilities, organizations leave themselves exposed," said Lisa Xu, CEO of NopSec. "What this report found is that some organizations have effective ways to detect, respond to, and remediate their vulnerabilities, while other organizations have more blind spots than they think. I hope these insights will be helpful to security leaders as they evaluate and strengthen their vulnerability management program."
Key findings include:
- 70% say their vulnerability management program (VMP) is only somewhat effective or worse.
- 34% responded that their VMP was not very effective at all.
- 53% of respondents said their organization does not consume third-party threat intel, like penetration tests, vulnerability disclosures, and IP or domain reputation scores.
- 58% also do not use a risk-based rating system to prioritize vulnerabilities.
- 62% of companies take 48 hours or longer to remediate vulnerabilities —some more than two weeks—to patch known critical vulnerabilities.
- 58% of companies that track the volume of vulnerabilities have seen them double, triple, or quadruple over the past 12 months.
To read the report in full, please visit: https://www.nopsec.com/resources/whitepapers-ebooks/state-of-vulnerability-management-report-2022/
NopSec, the world leader in cyber threat and exposure management, delivers its flagship SaaS solution, Unified VRM, to enable cybersecurity teams to prioritize and remediate vulnerabilities, reduce risks, and validate cybersecurity controls. NopSec believes data-driven insights change the future of work in cyber. The platform provides global visibility of infrastructure and appsec risks, enabling vulnerability management teams to prioritize and remediate their most imminent cyber threats.
NopSec has been recognized as the Leader in Vulnerability Risk Management by Forrester, a Gartner's Eye on Innovation company, and a Gold winner in Risk-Based Vulnerability Management (RBVM) and Security Analytics in 2022 by the Cybersecurity Excellence Awards. NopSec is based in New York, NY.
Categories: IT Security