Four Interesting Facts from the State of Vulnerability Management Report
- Sep 06, 2022
- Lisa Xu
The State of Vulnerability Management report, recently released by NopSec, shows that while organizations are making strides in vulnerability management, there is still much work to be done. The report found that prioritizing vulnerability remediation is still a top objective for security teams, even though many practitioners feel their VM program is ineffective. Cybersecurity professionals should pay close attention to these findings to learn how their own organizations can step up their game when it comes to vulnerability management.
With the ever-growing list of potential vulnerabilities, it can be challenging to know where to start. By understanding the current state of vulnerability management, security professionals can better prioritize their efforts and make their programs more effective. Toward this end, we asked a cross-section of 426 security professionals across nine major industries about their thoughts on the current state and future outlook for vulnerability management. Here, we have presented four of the notable takeaways from the survey.
The largest group of the survey’s respondents, 35%, said that the number one goal for their vulnerability management program was to prioritize risk based on exploitable vulnerabilities and the criticality of the assets at risk. This is a sensible goal and one that is achievable with the right mix of people, processes, and technology. However, as these responses clarify, vulnerability management is not a goal in and of itself; it’s a means to an end.
Speaking at a Homeland Security Committee hearing in November 2021, Jen Easterly, CISA director, said, “We strongly recommend every network defender view the known vulnerabilities posted at CISA.gov, and prioritize urgent remediation.”
The ultimate goal is to reduce the overall risk to your organization, and vulnerability management is just one tool that can help you reach that goal. There are many other factors to consider as well, such as the likelihood of an attack and the potential impact of an exploit. But if you aim to reduce risk, prioritizing vulnerabilities based on exploitability and asset criticality is an excellent place to start.
According to this survey, vulnerability management programs are not working as well as they could be. Less than a third of respondents (30.1%) said their program was “very effective,” and slightly more than a third (34%) said it was “not very effective.” There are a number of reasons for this. First, many companies don’t have a good handle on what assets they have and where they’re located. Second, patching is hard. It often requires taking systems offline, which can be disruptive to business operations. And third, there are simply too many vulnerabilities to keep up with.
The industry needs to do better at vulnerability management. We need to get better at identifying our assets, make patching more manageable, and find ways to prioritize the most critical vulnerabilities. Otherwise, we’re just playing Whac-A-Mole with the bad guys.
For the survey respondents who replied that their vulnerability management program is “very effective,” we asked if they could give us insights on why they answered that way. When asked to choose all that applied, 43% attribute their effectiveness to security team members who understand vulnerability management. We applaud them for their ability to attract and retain top cybersecurity talent. Still, given the skills gap the security industry is experiencing, this response indicates a need for more automated vulnerability management solutions.
Fellow and lecturer at Harvard’s Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc., Bruce Schneier wrote about how both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021.
Even with a great team, organizations can’t keep pace with the volume of vulnerabilities being disclosed daily. And as we’ve seen in recent high-profile attacks, even one unpatched system can be enough to bring down an entire organization. Automated solutions can help organizations fill the gaps in their defenses, and we encourage organizations of all sizes to consider them as part of their overall security strategy.
It’s no surprise that shadow IT is one of the top problems facing organizations today. With the proliferation of devices and cloud services, it’s becoming increasingly difficult to keep track of all the devices and services in use. This not only makes it difficult to manage risk but also makes it harder to identify and remediate vulnerabilities. In our survey, 16.9% of respondents cited shadow IT as their most disturbing problem. This can limit the visibility of risk exposure and make it challenging to remediate vulnerabilities. Additionally, 16.2% of respondents mentioned a lack of trained staff to remediate vulnerabilities as another top challenge.
Shadow IT can be a significant problem for organizations because it can lead to data breaches and compliance issues. Organizations must have policies and procedures to prevent shadow IT from occurring. Additionally, organizations should provide training to staff on how to identify and remediate vulnerabilities.
The future of vulnerability management is risk-based. Companies are at risk without a risk-based approach to understanding and managing the growing number of vulnerabilities. At NopSec, we advocate for this approach to vulnerability management as we lead our customers into the future.
The top objective for security practitioners should be prioritizing risk, and vulnerability management programs are only somewhat or not very effective at doing this. To better manage vulnerabilities, it’s essential to understand the number one challenge with vulnerability management: shadow IT assets.
Organizations must move from being reactive to being proactive when it comes to security. The best way to do this is to take an offensive approach, which requires a complete mindset shift from the security practitioners on the front lines all the way up to the c-suite.
The offensive approach is about being proactive — identifying vulnerabilities before they can be exploited and taking steps to prevent attacks before they happen. The reactive approach is about response — waiting for something bad to happen and then scrambling to fix it. This is how most organizations approach security, and it’s simply not good enough anymore.
This shift in thinking won’t be easy, but it’s essential if we want to stay ahead of the threats we face. It’s time for organizations to start taking security seriously, which means adopting an offensive mindset. Only then can we hope to keep our digital systems safe and secure.
Read the full State of Vulnerability Management Report here.