The Cost Savings of Effective Vulnerability Management (Part 1)
As our world grapples with a changing economy, most businesses are being asked to stretch budgets as far as they will go. “Do more with less” is hitting home now more than ever.
For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.
The Vulnerability Management Challenge
Vulnerability management is a notorious resource drain for many organizations who struggle to patch thousands or even millions of vulnerabilities on a regular basis. Even in the best of circumstances, a mandate to “patch everything” isn’t going to give you much of a return on your investment. But solving the vulnerability management challenge doesn’t have to cost endless dollars and tie up limited staff. As with any daunting to-do list, it’s all about prioritizing.
Let’s take a step back to look at the big picture. It’s easy to point to your infrastructure and application vulnerabilities and say, “Everything is at risk.” But if everything is at risk, then everything needs to be patched. Now, you’re running in circles trying to figure out how to patch an insurmountable pile of vulnerabilities. And before you know it, you’re stuck in a “spray and pray” routine that yields a critical problem: You’re spending a ton of resources, but you’re not actually reducing risk.
Focus on the Vulnerabilities That Matter Most
The truth is that it simply doesn’t make sense to treat every vulnerability equally. Only around 2% of vulnerabilities are actively exploited in the wild, according to Kenna Security’s Prioritization to Prediction research, which makes the traditional, “everything is at risk” approach both inefficient and costly. Some vulnerabilities are more critical and need immediate attention; some are less likely to cause an issue and can be deprioritized.
With a risk-based approach to vulnerability management, you can focus resources on patching a smaller number of vulnerabilities that pose a real risk to your organization. The result? Less work and less risk—within less time, with less money, and with fewer resources.
But it’s not just the act of prioritizing that will make a difference—you have to be confident that you’re identifying that real risk accurately. It’s not a place for guesswork. This is where threat intelligence driven by data science plays a critical role. Too many organizations rely on very basic vulnerability information—often just the Common Vulnerability Scoring System (CVSS), or a vendor that essentially repurposes CVSS data without much additional intelligence. Compared to remediating based on CVSS 7+, Kenna’s risk-based model delivers twice the efficiency, with half the effort, according to Kenna’s Prioritization to Prediction research.
Real Savings From Risk-Based Vulnerability Management
It’s worth noting, too, that there are some organizations that understand that CVSS isn’t sufficient, but turn to a DIY project in the hope that they can forgo having to drop dollars on another investment. But home-grown vulnerability management systems can cost millions a year—it’s far from a cost saver.
At Kenna, we’ve seen the impact of a risk-based approach to vulnerability management first-hand. It’s not unusual for our customers to see the number of vulnerabilities that need to be patched reduce exponentially. Just recently, a customer reported the 5.8 million vulnerabilities they were facing prior to Kenna have been whittled away down to less than 350,000—and in less than 45 days, to boot.
Aligning the entire company behind a risk-based approach to vulnerability management can be transformative, as we’ve seen in many of our more “mature” customers who have journeyed with us for some time. Time, resources, and money are freed up left and right in this type of model, and in the next two blogs in our series, we’ll dive deeper into what exactly those savings look like in action. Stay tuned for more!
Want to learn more about Kenna’s threat intelligence? Contact us to schedule a demo.