3 Super Common Vulnerability Management Myths: BUSTED
Share with Your Network
October is Cybersecurity Awareness Month, so in the spirit of season we’d like to help set the record straight about a few common misconceptions we often see in the vulnerability space. Vulnerability management may seem like a straightforward concept—you have security vulnerabilities, so you fix ‘em, right? If only that were the case. Most companies have learned the hard way that managing vulnerabilities is anything but simple.
With the volume of new vulnerabilities published every day (averaging 69 new CVEs this calendar year so far), effective and efficient remediation becomes not only more urgent but exponentially more complicated. And organizations are taking different approaches to solving this problem (spoiler alert: some work better than others).
As a team that lives and breathes vulnerability management day-in and day-out, let’s look at a few common myths about vulnerabilities and see how we might reposition them to pave the path to more efficient remediation.
Myth #1: I have to patch all my vulnerabilities.
Not exactly. Let’s preface this by saying if you can patch all your vulnerabilities, do it. But the reality is that no organization is going to be able to patch everything. And our Prioritization to Prediction research shows that organizations, regardless of size, are only patching about 15% of their vulnerabilities. In some cases, high performing teams can reach above 50% patch rate, but those comprise a small minority.
The tough truth is that you can’t patch it all (nor should you), which is why prioritization has become such a sought-after capability. But if you need to focus your finite resources on a subset of vulnerabilities, which ones should those be? This is where a risk-based approach to vulnerability management comes into play. In an ideal risk-based world, organizations would prioritize the vulnerabilities that pose the biggest risk to their organization and funnel their remediation efforts appropriately. Of course, this strategy hinges on determining what makes a vulnerability risky.
For years, many teams leaned on the Common Vulnerability Scoring System (CVSS) to determine which vulnerability prioritization. But a CVSS rating only reveals part of the story. CVSS scores provide an indicator of how technically severe the vulnerability is, but there are other critical factors CVSS scores leave out. For example, has it been weaponized? Even more important, is it being exploited in the wild and how often? Not to mention organization context like is it present on a business-critical asset? These considerations must be factored into vulnerability prioritization.
Using exploitation as a guideline for prioritizing vulnerabilities is become more popular. Even the federal government is embracing a more risk-based mindset. In 2021, the Cybersecurity and Information Security Agency (CISA) introduced the Known Exploited Vulnerabilities catalog to help inform vulnerability prioritization for public entities. And for good reason; only about 5% of vulnerabilities in the National Vulnerability Database (NVD) are both observed in enterprises and exploited in the wild. In an ideal world, this subset is where remediation teams would want to focus their attention. And 5% is significantly more manageable than 100%.
So no, you don’t have to patch all your vulnerabilities (at least, not right now).
Myth #2: If a vulnerability makes headlines, it’s riskier than other vulnerabilities in my stack.
If you’re on a security team, you’re all-too familiar with the fire drill that ensues when a vulnerability makes the rounds among news outlets. Whenever a vulnerability like Log4Shell dominates headlines, the industry scrambles to understand the parameters of the vulnerability and potential exploitations, and CISOs jump to ensure their teams are checking for and fixing the vulnerability in their environment. If it’s hogging headlines, it must be the most critical, right? Well, not always.
Vulnerabilities can often grab attention in the media and create the false impression that this is where resources should be urgently directed. And while vulnerabilities like Log4Shell are not insignificant, the reality is that riskier vulnerabilities may still be in your environment—ones that are being actively exploited more often and successfully than the latest scoop.
Rule of thumb: Pay attention to the news but do not let your prioritization be guided by headlines alone.
Myth #3: Vulnerability management is a security problem.
Vulnerability management is a function that will generally span two teams: security and IT. But there are far too many organizations where security teams keep vulnerability prioritization siloed, not allowing real buy-in from or shared incentives with IT (the folks who actually handle the remediation). This dynamic can lead to frustration, friction, and workflow inefficiencies. Vulnerability management will always be an uphill battle if security is trying to drag IT along without clear directions or data-backed reasoning.
We can tell you from our decade-plus experience in this field that the customers who have the most successful vulnerability management programs are the ones in which security and IT are in lock step with one another, with a shared understanding of the strategy and how to measure success. These organizations also have support and validation from their executive teams, who understand that if cybersecurity risk is a business problem, then vulnerability management is a business problem. You cannot effectively manage business risk without a strong vulnerability management program.
Even non-IT roles are citing cybersecurity’s importance with increasing frequency. A recent PwC survey found that virtually the entire C-suite understands that cyber-attacks pose a serious risk to the vitality of an organization, with 44% of CFOs and 41% of CMOs ranking it high on their list of concerns. This widespread evangelism is underscoring the fact that vulnerability management is not simply a security matter.
It’s not just a month—it’s a movement
Even with the proliferation of technology and connectivity in our professional and private lives, misconceptions abound. People are fallible and inevitably click the wrong links or reveal sensitive credentials. Since threat actors keep upping their game, there is always room for improvement regarding cybersecurity hygiene and basic knowledge. This was the original intent behind Cybersecurity Awareness Month.
But on a larger scale, cybersecurity is defining our future in very real and significant ways, shaping the direction warfare, business culture, and collective livelihoods. Gartner’s recent cybersecurity predictions reveal sobering ways that risk and resilience will inform the next few years. And those that are laying the groundwork for security resilience will reap the benefits of being able to respond to future attacks and unknown threats confidently and efficiently.
To learn more about what you and your team can do to participate in Cybersecurity Awareness Month, explore what Cisco is doing to help organizations increase their knowledge and better safeguard their defenses.