2017 Outlook: Remediation Trends
- Jan 12, 2017
- Guest Author
Each year, NopSec conducts a survey of IT and cybersecurity professionals to glean a snapshot of the current state of vulnerability risk management and the outlook for VRM(Vulnerability Risk Management) in the coming year. This survey lets us take the pulse of security professionals across different types of businesses and at varying levels in their organizations, and provides some benchmarking figures for infosec teams who want to know how the maturity of their VRM programs compare.
Many of the trends are encouraging, while others show there remains plenty of room for improvement in some organizations’ security programs. We encourage you to download the full report here. In it, you’ll find our full list of top findings from the survey as well as our recommendations for improvement for those organizations that find themselves facing the same circumstances and challenges as our respondents.
For today, we offer a sampling of some of the key trends that came out of this year’s survey.
Many companies remain at least partially compliance-driven in their approach to VRM.
Almost half (47%) of respondents said that their VRM is equally driven by both compliance and security risk management, while 16% said that VRM is a function mostly driven by compliance. While compliance will always remain an important driver, particularly for industries like financial services and healthcare, compliance alone does not keep organizations secure. When VRM is a strategic practice that is part of your overall security and risk management strategy (true for 36% of those surveyed), then your business priorities are more likely to be aligned in a way that provides adequate resources, time, and attention to minimize security risks. Moreover, organizations that are strategy-driven will find it easier to remain compliant for these same reasons.
A lot of companies still rely on manual prioritization and limited inputs to prioritize vulnerabilities.
One quarter of respondents to our survey said they rely either solely on CVSS scores to prioritize vulnerabilities (11%), or they use a combination of CVSS scores and asset classification (15%). Most infosec professionals recognize that CVSS scores alone are insufficient, but even adding only asset classification leaves organizations at risk and doesn’t do enough to minimize data overload.
Organizations should apply all the information they can find to prioritizing vulnerabilities. That includes CVSS scores and asset classification, but also threat intelligence, exploit feeds, social media trends, patches available, and business context.
This is incredibly difficult to do manually! It also drains resources from other activities, leading to opportunity costs for organizations operating with small IT teams that wear many hats. The best way to overcome this challenge is to automate prioritization using technology that can incorporate all of the factors listed above.
The vast majority of IT organizations know they can improve remediation.
More than 80% of our respondents saw room for “some improvement” (51%) or “major improvement” (33%) to their remediation processes. We asked about their priorities for improving their VRM programs in the next 12-18 months, and three things topped the list: implement tools to improve prioritization (24%); more frequent scanning (22%); and implement goals and success metrics to reduce remediation time (20%).
Implementing prioritization tools is #1 for good reason. Your security program depends on the quality of information telling you which vulnerabilities need your attention the most and which remediation efforts will deliver the most positive impact. Without the proper technology in place, security professionals are operating in the dark and leaving themselves at unnecessary risk.
For more trends and our top recommendations for organizations ready to improve their VRM programs in 2017, download the full report now.