Blog

Analysts Agree: The Future of Vulnerability Management Will Be Risk-Based

There’s nothing quite like respected industry analysts signaling that you’re on the right track. What’s even better is when they signal the groundbreaking path you blazed in risk-based vulnerability management (RBVM) is the one they think everyone else should now follow.

This, we believe, is the thrust of many recent industry analyst reports outlining the likely direction of vulnerability management. With the average IT environment bedeviled by millions of vulnerabilities, knowing which of these are likely to be weaponized has become imperative not just to security and IT organizations, but to businesses themselves. Since just 5% of vulnerabilities will probably emerge as real threats to your data and assets, how do you know which vulnerabilities are putting you at the greatest risk?

As vulnerability management platforms evolve, so have expectations for them. The industry has moved away from merely scanning and identifying vulns–an unhelpful “everything’s at risk” approach that led security and IT teams to try to patch all known vulnerabilities–to predicting which vulnerabilities will pose a threat and then prioritizing those. In other words, the industry has moved toward risk-based vulnerability management (RBVM).

Changing the Conversation–and the Industry

As Karim Touba, Kenna Security’s CEO, recently observed, being an industry pioneer means you have to reframe the conversation around new ideas. We spent the past several years educating the market about the challenges of vulnerability management—and the crucial element of risk-based prioritization that enterprises were missing from their defenses, even if most didn’t quite see it yet. But when you spend a decade working in the world’s most complex environments, you learn what works and what doesn’t.

In developing the Kenna Security Platform, we’ve kept what works–and we’ve built on that foundation. In the process, we pioneered RBVM which, whether it goes by that name or not, has been identified by a growing number of industry analysts as a defining trend in how enterprises defend themselves against cyberthreats:

“Gartner has called out the critical need to assess assets for configuration issues and vulnerabilities, and to be able to prioritize what you do with that assessment, based on the risk to your organization.”  [Gartner, Inc.: Market Guide for Vulnerability Assessment, Craig Lawson, Mitchell Schneider, Prateek Bhajanka, Dale Gardner, Nov. 20, 2019.]

At Kenna Security, our focus has been on ensuring that our customers always have the benefit of three things:

  • confidence (with the ability to gain a real-time view of the entire enterprise stack);
  • intelligence (derived from evidence-based guidance and predictive data science); and
  • alignment (ensuring security and IT are working toward the same priorities).  

To get a more detailed sense of Gartner’s view of the future of vulnerability management–and to understand how maturing your own vulnerability management model can result in the three benefits I listed above–check out our latest newsletter featuring research from Gartner

I think you’ll agree with the growing chorus of industry voices that the future is risk-based vulnerability management.

The Future of Vulnerability Management is Risk-Based is published by Kenna Security. Editorial content supplied by Kenna Security is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2019 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Kenna Security’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity”, on its website.

Gartner, Inc.: Market Guide for Vulnerability Assessment, Craig Lawson, Mitchell Schneider, Prateek Bhajanka, Dale Gardner, Nov. 20, 2019.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose