Blog

The Cost Savings of Effective Vulnerability Management (Part 2)

The other week, we kicked off this blog series with the proposition that a risk-based vulnerability management approach is more cost-effective than a traditional “everything is at risk” model. Today, we’d like to take a closer look at how those cost and resource savings play out. To get us started, let’s focus our conversation on one particular area in which resources seem to quickly spiral out of control: the inefficient “battle” between security and IT. 

There are millions of vulnerabilities in your organization, and your security team is chomping at the bit to wrangle risk, but struggles to identify where to begin. Your IT team is consistently flooded by the demand to implement patches, among many other tasks, and most of the time they don’t even understand why they are patching what they’re being asked to patch. Each team is measuring “success” by different metrics, both teams are left stretched thin, and there is rising friction between the groups. All the while, your organization’s risk posture becomes increasingly precarious. 

What happens if we can eliminate this problem? In a recent blog, we looked at the impact of reducing the friction between IT and Security. Jason Rolleston, our Chief Product Officer, said it well: 

“When the friction between IT and security is reduced or eliminated, it turns passionate people into partners, and allows them to work toward common goals, not against each other.” 

The thing about battles is that it always comes at a cost. And the battle between security and IT is an  especially expensive fight without much to show in return. It serves to reason, then, that aligning security and IT would yield far more productive results. 

Let’s visualize what this alignment might look like. There are still millions of vulnerabilities within your infrastructure and applications. But now, your security and IT teams have agreed upon a risk-based approach to remediation, which means you can prioritize and patch only the vulnerabilities that need to be patched. 


In this environment, your security team is now focused on reporting, oversight, and exception handling, and IT is operating self-sufficiently. There’s no need for security to tell IT what to do; IT can go in, get the view of the assets they have, and make decisions based on a shared alignment on a risk score, knowing that every patch you deploy is one that’s meaningfully reducing risk. 

In this model, efficiency reigns. There are no disagreements about what to patch, how to patch it, and how to measure success. Security and IT spend less time arguing, and “weekly patch meetings” are a thing of the past. In our current “work from home” climate, this type of alignment is even more essential. There is more pressure than ever to be self-sufficient and stay on track, and vulnerabilities will have to be managed wherever you’re working from. 

If you’re working with limited resources, it’s critical to be able to be confident in your team’s ability to get things done in a timely manner. With a risk-based approach, the CISO can trust that risk is effectively being managed, and the CIO can repurpose limited resources to other priorities. 

Stay tuned for the final installment in our blog series!

Want to do more with less? Contact us today to view a demo and learn how Kenna Security can save your organization money, resources, and time without sacrificing results.