ON-DEMAND TRAINING:  
Build your risk-based vulnerability program
Contact Us
Talk to an Expert
Request a demo

The Cost Savings of Effective Vulnerability Management (Part 2)

May 7, 2020
Caroline Japic
Chief Marketing Officer

Share with Your Network

The other week, we kicked off this blog series with the proposition that a risk-based vulnerability management approach is more cost-effective than a traditional “everything is at risk” model. Today, we’d like to take a closer look at how those cost and resource savings play out. To get us started, let’s focus our conversation on one particular area in which resources seem to quickly spiral out of control: the inefficient “battle” between security and IT. 

There are millions of vulnerabilities in your organization, and your security team is chomping at the bit to wrangle risk, but struggles to identify where to begin. Your IT team is consistently flooded by the demand to implement patches, among many other tasks, and most of the time they don’t even understand why they are patching what they’re being asked to patch. Each team is measuring “success” by different metrics, both teams are left stretched thin, and there is rising friction between the groups. All the while, your organization’s risk posture becomes increasingly precarious. 

What happens if we can eliminate this problem? In a recent blog, we looked at the impact of reducing the friction between IT and Security. Jason Rolleston, our Chief Product Officer, said it well: 

“When the friction between IT and security is reduced or eliminated, it turns passionate people into partners, and allows them to work toward common goals, not against each other.” 

The thing about battles is that it always comes at a cost. And the battle between security and IT is an  especially expensive fight without much to show in return. It serves to reason, then, that aligning security and IT would yield far more productive results. 

Let’s visualize what this alignment might look like. There are still millions of vulnerabilities within your infrastructure and applications. But now, your security and IT teams have agreed upon a risk-based approach to remediation, which means you can prioritize and patch only the vulnerabilities that need to be patched. 


In this environment, your security team is now focused on reporting, oversight, and exception handling, and IT is operating self-sufficiently. There’s no need for security to tell IT what to do; IT can go in, get the view of the assets they have, and make decisions based on a shared alignment on a risk score, knowing that every patch you deploy is one that’s meaningfully reducing risk. 

In this model, efficiency reigns. There are no disagreements about what to patch, how to patch it, and how to measure success. Security and IT spend less time arguing, and “weekly patch meetings” are a thing of the past. In our current “work from home” climate, this type of alignment is even more essential. There is more pressure than ever to be self-sufficient and stay on track, and vulnerabilities will have to be managed wherever you’re working from. 

If you’re working with limited resources, it’s critical to be able to be confident in your team’s ability to get things done in a timely manner. With a risk-based approach, the CISO can trust that risk is effectively being managed, and the CIO can repurpose limited resources to other priorities. 

Stay tuned for the final installment in our blog series!

Want to do more with less? Contact us today to view a demo and learn how Kenna Security can save your organization money, resources, and time without sacrificing results.

Share with Your Network

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities: through the lens of common asset platforms. Download the research report to learn more about the key findings: Common asset platforms and their typical risk profiles…

DOWNLOAD NOW
eBooks

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is just as critical to IT as it is to Security and DevOps.  And it’s worth getting right: Vulnerabilities can leave your most strategic assets—and your business itself—exposed to cyber threats…

DOWNLOAD NOW

Videos

Videos

Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You can learn more about the Exploit Prediction Scoring System and use the interactive calculator here: https://www.kennaresearch.com/tools/e…

READ MORE
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.