uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Mistakes Companies Make When it Comes to Vulnerability Management

We observe a common misconception that companies believe they are doing “vulnerability management” when, more often than not, they are simply performing “vulnerability identification”. I came across an insightful article written by Mark Hatton in SecurityWeek titled, “Three Mistakes Companies Make When it Come to Vulnerability Management”. Below are my own observations and comments on the topic.

Remediation, not identification, should be the goal

On a tactical basis, the day-to-day responsibility of meeting compliance requirements, running scans and updating fixes can be a surprisingly labor intensive exercise. The whole process of “vulnerability identification” often is a job in and of itself. The process of identifying critical vulnerabilities and not fixing them in timely manner is a dangerous game. This leads to a false sense of security.

Overcoming organizational barriers

One of the surprising aspects of our work is that, for many of our customers, it is not a lack of information that keeps them from being secure. Instead, it is the internal process of finding and convincing the correct people in the company to get fixes applied. Depending on the company’s organizational structure, the team responsible for security may even be outside of the IT department. Vulnerabilities are identified and passed along to different groups with no clear sense of ownership for remediation.

Facilitating successful remediation

One of the ways to improve operational efficiency is to make it easier for the appropriate individuals, or teams, to collaborate on fixing security vulnerabilities. NopSec built an automated ticketing process in our software-as-a-service, Unified VRM, to help remediate issues quickly. Unified VRM also provides the flexibility to seamlessly integrate with existing Security Information and Event Management (SIEM) solutions. At one of our customers, they were able to improve the time it took to remediate critical vulnerabilities from weeks to hours. Even better, they continued on a positive trend of fewer vulnerabilities by integrating Unified VRM reports directly into their patch management system.

When you want to take the first step to true “vulnerability management”, please read NopSec’s Best Practices Guide: Vulnerability Management

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.