Ready to implement a Risk-Based Vulnerability Management approach?  
Download The Guide Now>
Contact Us
Talk to an Expert
Request a demo

Modern Vulnerability Management Part 3: Engaging Auto-Pilot

Sep 2, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

One of the odd things about risk is that it doesn’t mean the same thing to all people. We happily ride in cars almost every day, despite the fact that on a mile-for-mile basis, it represents one of the most dangerous forms of transportation. But many of us will get a weird feeling in the pit of our stomachs while waiting on the tarmac for our plane to take off, despite the fact that air travel is the safest. 

In enterprise cybersecurity, vulnerability management faces the same challenge: what some people view as risky, others see as harmless. But unlike transportation statistics, most organizations don’t have data that allows them to rationalize and compare vulnerability risk on a level playing field. 

Is there a definition of risk? Listen to the clip to find out

Finding a common language of risk

This leads to conflict between the security teams tasked with identifying risks, and the IT operations teams tasked with patching them. The typical organization has the capacity to patch just one out of every ten vulnerabilities on its systems. But when there is no way to talk rationally about risk, just about everything seems risky – and thus, there are demands to patch far more than the organization has capacity for. 

In the previous blog post in this series, we talked about the ways data science can quantify the risk of vulnerabilities, giving organizations a common, data-driven language to discuss risk. 

Companies can use risk-based vulnerability management to drive down risk across the organization. If you have a tool that identifies and quantifies risk, you can identify the riskiest vulnerabilities and prioritize them.  

But modern vulnerability management goes even further, because it realigns the organization’s overall approach to risk by evaluating and measuring risk across the full IT stack. Modern vulnerability management accounts for every vulnerability, across every segment of the network, and uses data science to distill that information through a single, easy-to-understand lens. 

Reducing conflict with modern vulnerability management

So let’s talk about what happens when an organization starts using the lingua franca of risk-based vulnerability management. 

To begin with, the number of vulnerabilities that IT needs to patch declines dramatically. While organizations have the capacity to patch one in ten vulnerabilities, our research shows that just 5 percent of vulnerabilities present a true danger to the organization. 

And that reduces conflict. Why? For one, there’s very little to argue about if data science is clear and transparent. With a holistic view of risk, everyone knows what the next best action is.

IT operations teams, for example, know which vulnerabilities they need to prioritize and why they should be the priority — they are looking at the same data the security team is looking at. Many Kenna Security customers adopt an IT self-service approach, with security teams providing oversight and handling exceptions. 

In fact, I was speaking with the head of cybersecurity of a major financial institution recently, and he told me that he hadn’t logged into Kenna.VM in months. I was a little worried about the direction this conversation was taking, when he told me that their IT teams were logging in and proactively patching their own systems on a day-to-day basis. He just didn’t need to log in because he wasn’t really part of the day-to-day process anymore.

Making time for higher value initiatives

Modern vulnerability management isn’t just about making life easier for the security team. It is about reducing the amount of time that IT spends patching – and that means more time to devote to other, higher value initiatives. These are features of modern vulnerability management, but they aren’t the overarching theme.  

By aligning the stakeholders around a common ground truth, it is possible to know exactly what the organization’s risk is, and to communicate that with board members, non-technical executives, and even regulators. When Kenna Security developed risk-based vulnerability management, a rational, manageable approach was the end goal that we envisioned. But as you’ll see in the next blog post, that wasn’t the case. Our customers exceeded our wildest expectations. As a result, we needed to adapt our product further to create a new stage of modern vulnerability management maturity.

To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.

Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

Analysts Agree: The Future of Vulnerability Management Will Be Risk-Based

There’s nothing quite like respected industry analysts signaling that you’re on the right track. What’s even better is when they signal the groundbreaking path you blazed in risk-based vulnerability management (RBVM) is the one they think everyone else should now follow. This, we believe, is the thrust of many recent industry analyst reports outlining the…

Risk-Based Vulnerability Management

Are You Taking a Modern Vulnerability Management Approach to Cybersecurity?

One of my favorite quotes of all time is the definition of insanity. While there are several variations, they all boil down to doing the same thing over and over again but expecting different results. While these words can certainly apply to a wide range of topics, for me they are particularly reflective of the…


[Podcast] Intrigue In Discovery and Digital Fingerprinting

Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.


© 2020 Kenna Security. All Rights Reserved. Privacy Policy.