Security Priorities 2022: Insights from the State of Vulnerability Management Report
- Sep 13, 2022
- Lisa Xu
In its most basic form, security is about protecting people and systems from harm. Increasingly, our security depends on our ability to manage risk and uncertainty. And that means we need to start thinking about security in new ways.
One of the most critical security challenges we face today is managing vulnerabilities. A vulnerability is a weakness that an attacker can exploit to cause harm. It might be a software flaw that threat actors can exploit to gain access to a system or a physical vulnerability they can leverage to steal data. Whatever the form, vulnerabilities are a fact of life in the digital age.
The good news is that there are things we can do to manage vulnerabilities effectively. We can harden systems against attacks and develop contingency plans for when things go wrong. We can also deploy advanced tools to automate processes and move from being reactive to being proactive. Organizations can do this by taking an offensive approach to security, but this requires a complete mindset shift for everyone from the security practitioners on the front lines to the c-suite. By understanding and managing vulnerabilities, we can make our digital world a safer place for everyone.
The State of Vulnerability Management Report from NopSec highlights four critical priorities for security practitioners in 2022 and beyond. These are: purchasing new tools, hiring more people, increasing security budgets, and conducting breach attack simulations. Based on a survey of over 426 security professionals from nine critical industries, this report provides an in-depth look at the current state of vulnerability management and how practitioners plan to address risk in the future.
When it comes to vulnerability management, many organizations are looking for new tools to keep up with the ever-changing threats. The largest group of respondents (16.9%) said they plan to purchase a new solution or upgrade their existing vulnerability assessment tool over the next 12 months. Two other choices — increasing enterprise visibility with 100% scanning and adding breach attack simulation capabilities — effectively put these people into ‘purchasing’ another category too.
A plurality of those surveyed (21.8%) said that adding staff to the vulnerability management program would have the most impact going forward. Another 20% feel this way but plan on using consultants or contractors for these roles instead of full-time employees.
Hiring more people is a top priority for many security teams. This strategy is due to the increasing complexity of attacks and the need for more specialized skills. In addition, many organizations are facing a shortage of qualified security personnel. As a result, they are turning to outside firms or contractors to fill the gaps in their workforce.
The cybersecurity skills gap sometimes leads to poaching between tech firms. Speaking with James Rundle of the Wall Street Journal, Krishnan Chellakarai, founder of NextGen Cyber Talent, said, “Because we all need these talents, we end up recruiting valuable employees from one another, even though we are all trying to ultimately solve the same cyber challenge. … Instead of trying to steal from one another, we need to work together to encourage more people to get into the field and increase the supply of skilled individuals.”
We’re in the midst of a security arms race. Every few years, a new attack vector emerges-whether it’s ransomware, DDoS attacks, or data breaches-and organizations are forced to spend more money on security in order to defend themselves. This is especially true for organizations that hold sensitive data or those that are subject to strict compliance regulations. As a result, many organizations are finding it necessary to increase their security budget in order to keep up with the latest threats. In some cases, this may mean hiring additional staff or investing in new security technologies. However, it’s important to remember that security is an ongoing process, not a one-time expenditure. By making security a priority, organizations can help ensure that their data and systems are protected against the ever-evolving landscape of cyber threats.
Our survey shows that despite today’s challenging market conditions, 36.6% of those involved in budget-related decisions foresee an increase over the next 12 months. Over three-quarters of those that expect an increase anticipate a bump of at least 26%.
Breach attack simulations are another top priority for security practitioners. This is due to the increasing number of data breaches and the need to test their responses to these events. By conducting simulations, organizations can assess their readiness and identify areas where they need to improve their procedures.
On January 11, 2022, reporting for Bloomberg, Alberto Nardelli stated that “European Union governments will launch later this week a large-scale simulation of cyberattacks against multiple member states.
Participants will be confronted with attacks on their supply chains and some spillover socio-economic effects in other member states, before having to coordinate public communications and a diplomatic response.”
For 22.5% of respondents, breach attack simulations were the most exciting or promising vulnerability management technology. Operational technology assessments were the number two choice (20%), followed by web application scanning (19.7%).
The State of Vulnerability Management Report from NopSec provides a comprehensive look at the current state of vulnerability management and how practitioners plan to address risk in the future. This report is valuable for security professionals looking to improve their program effectiveness. It can help guide decision-making and ensure that resources are allocated appropriately. Organizations not currently using a risk-based approach to vulnerability management should consider doing so, as it can help them save time and money while reducing their exposure to potential attacks.
The increasing complexity of the IT environment, coupled with the exponential rise in threats, has made risk-based vulnerability management imperative for organizations today. Implementing a program that is aligned with an organization’s business goals and objectives is critical to success.
It is essential for organizations to have a comprehensive understanding of their assets and vulnerabilities and to prioritize their remediation efforts accordingly. We educate our customers on how to develop and implement a risk-based approach to vulnerability management that will enable them to stay ahead of the curve and protect their organizations from the ever-evolving threats they face. By taking a proactive approach to managing vulnerabilities, organizations can reduce their exposure to risk and improve their overall security posture.