Five Years In, RBVM Has Shifted Into Overdrive
Just about five years ago, I posted my first blog as this company’s freshly minted CEO. If you read it, you can sense I was excited about the team I came here to lead, and doubly so for the future we were building.
In a triumph of brevity, I needed just 383 words to offer four predictions and observations about the state of security and where it was headed. How did those hold up five years later? Let’s take a look.
Security Breaches are Becoming Increasingly Frequent
2014: Non-stop news accounts of the latest hacker attacks have led to record security spending—a whopping $46 billion.
Today: What all of us saw in 2014 has only intensified. Security breaches have become so frequent, so far-reaching and so costly that only the largest seem to register as news. For individual organizations, the question isn’t whether an attack is coming, but when. In response, spending on security products and services will reach $124 billion this year—and a total of $1 trillion from 2017 to 2021. While Kenna Security’s research shows that most companies end each day with more high-risk vulnerabilities than they started with, that same research shows that only a very small percentage (2-5 percent) of vulnerabilities ever get exploited in the wild. Which means that companies that focus on the right vulnerabilities, the ones that pose the greatest risk, will be able to stay ahead of attackers.
Focusing on the Right Data
2014: Companies commonly deploy an array of technologies that individually protect networks, applications and clients. But this patchwork introduces silos of information. SIEM promises to unify disparate data sources, but it only creates data oceans that prevent today’s tools from producing actionable insight.
Today: When I joined Kenna, the industry was obsessed with gathering as much data as possible. At that moment of “peak data,” SIEM was viewed as the answer to marry all of it into something useful. We saw another path. Our approach was to focus only on data that would tell enterprises which vulnerabilities pose the greatest risk, since the average enterprise has 40 million of them. We work with third-party data sources to create custom data streams that winnow out unnecessary metadata and train our machine learning prediction algorithms with only useful information. A lot of data is a good thing, but it needs to be the right data, otherwise it can easily get overwhelming.
I also realized early on that locking data in silos does no favors for your security posture. But I don’t know that I quite realized that it went beyond the technology. What changed? I realized that our customer base comes almost as much from the IT side as from the security side, and that the solutions we had at Kenna could also help communication across silos. After all, cybersecurity is a team sport, and it was time to get everyone onto the field.
Accelerating Time To Value
2014: Low time to value is a key tenet if we expect broad adoption.
Today: This not only was a business imperative for Kenna Security; it was also a design directive. By 2014, enterprises had grown accustomed to rapid ROI from cloud solutions like Salesforce. They expected the same from cloud security solutions. We’ve worked diligently for the past five years to ensure we live up to that expectation. That hard work has paid off. Today, we can have a proof of concept implementation up and running in an hour. And we can have all a company’s data ingested and processing within 48 hours, sometimes sooner. But what about time and risk savings? How does the use of the Kenna platform impact an organization’s ability to determine which vulnerabilities warrant action and patch those which pose the highest risk faster? On average, we reduce the time to patch the riskiest vulnerabilities by more than 40 days, compared to other strategies including CVSS.
The Importance of Risk-Based Prioritization
2014: Laying the foundation for change is never easy.
Today: The burden of reframing the conversation around new ideas comes with being an industry pioneer. We spent my first four years at Kenna educating the market about the challenges of vulnerability management—and the crucial element of risk-based prioritization that enterprises were missing from their defenses, even if most didn’t quite see it yet. Every chance we got, we explained and demonstrated the value of risk-based vulnerability management (RBVM).
All that effort has produced results. RBVM has become an industry-standard term. And the market has new entrants, including offerings from established providers like Tenable and Microsoft. The momentum we’re seeing as a solution provider in this space—from being named an Inc 5000 company for 2019 with three-year revenue growth of 1,045 percent, to innovation awards from SINET and SC Media—signals that we’ve arrived as a company just as the industry itself has arrived.
I Can’t Wait To See What the Next Five Years Will Bring
It’s an exciting time to be in this space. More organizations are recognizing the value of RBVM, and analyst firms and influencers are acknowledging the efficiencies and risk reduction that come from prioritizing your riskiest vulnerabilities. Healthy competition will only drive us to further innovation.
Our task now is to demonstrate why Kenna Security is the enterprise market leader for a reason. To prove why, as other providers struggle to catch up, a “good enough” RBVM solution is nowhere near good enough. And to show that, without a doubt, the future of vulnerability management will be risk-based.
Request a demo with the enterprise market leader in risk-based vulnerability management and see the future of vulnerability management.