Kenna Security is now part of Cisco

|Learn more

The State of Risk-Based Vulnerability Management in 2021

Mar 30, 2021
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Being the first at something means that you have something to prove.

The proof keeps coming.

At Kenna Security, we pioneered the strategy of risk-based vulnerability management (RBVM) in an effort to modernize one of cybersecurity’s foundational disciplines. And today, we’re releasing some year-to-year comparisons of our customers’ results.

Good news. The data shows that Kenna customers are getting faster and smarter about vulnerability management

We should state up front there is some bias in the data. Since this dataset is entirely made up of Kenna Security customers, you can make some assumptions that they have agreed that taking a risk-based approach to vulnerability management is the right way to go.

Coverage and efficiency


When we evaluate the success of our customers, we tend to look at four broad metrics: coverage & efficiency (these two are intertwined), velocity, and remediation capacity. Together, these metrics provide a comprehensive window into the results within our customers’ VM programs. 

There’s a relatively easy way to think about coverage and efficiency. Coverage is basically the percentage of existing high-risk vulnerabilities a company has eliminated from its systems. In other words, “if you have 100 high-risk vulnerabilities, how many did you fix?” Efficiency measures something slightly different. It is the ratio of high-risk to not high risk vulnerabilities that a company has patched. In other words, “if you fix 100 vulnerabilities, how many of them were actually high risk?” 

Each dot on the charts above represents a single company. A dot that is higher represents a company that is more efficient than one below it. A dot that is farther to the right represents a company that has better coverage. 

As you can see from the two charts, not only are more companies adopting risk-based vulnerability management, many more companies have moved higher and farther to the right. That’s good news. 


Now let’s look at velocity. 

Typically, companies measure vulnerability remediation through a metric known as mean time to remediation. That metric, while important, only looks at vulnerabilities that companies have closed, and it doesn’t look at vulnerabilities left open. 

Instead, we use a survival analysis to look at how long it takes to remediate half of the instances of a vulnerability in the system. It’s represented in these charts. The shaded area under the curve are vulnerabilities that have not been remediated. Over time, the shaded area gets smaller. 

Essentially, the steeper the curve, the faster a company is at vulnerability remediation. As you can see, companies are getting faster. The time it took companies to reach the 50 percent mark last year was more than 158 days. This year, it was 27 days. 


Last, let’s look at capacity.

graph shows comparison of net remediation for high risk vulns among firms


These charts are a little more straightforward. It groups companies according to their ability (or inability) to reduce the number of vulnerabilities on their systems over the course of a month. Keep in mind, that much like the other measures, risk feeds this metric. In other words, we prefer to look at capacity by how many high-risk vulnerabilities an organization can remediate in a given time frame.

Vulnerability management is an overwhelming problem, and lots of companies struggle to keep up. Last year, about two-thirds of companies reduced their vulnerability debt or were treading water. This year, that number rose to 71 percent. 

Within the data, there’s a bit of ambiguity. The number of companies that reduced vulnerability debt declined, while the percentage of companies treading water increased. Regardless of this, a smaller percentage of companies were losing ground year-over-year. 

Vulnerability management can be a major challenge for organizations no matter their size, but our data shows that market-shifting changes can be made in as little as a few years. In all, it’s an extremely positive outlook, powered by risk-based vulnerability management.

To see how Kenna’s RBVM platform can help you reduce your risk book a demo today.

Read the Latest Content

Risk-Based Vulnerability Management

2021 New Year’s Security Resolution: Fix The Right Things, Everything Else Can Wait

A great resolution for 2021 is to consider what can be done to continue risk reduction not only now, but in the long term.
Vulnerability Management

“New-School” Vulnerability Management vs. Old-School Vulnerability Management: A 7 Round Smackdown

The hype around vulns and breaches has drawn much attention to the importance of security, not all vulns are worthy of “celebrity treatment.”
Risk-Based Vulnerability Management

Analysts Agree: Risk-Based Vulnerability Management a Priority for 2021

Kenna has been blazing the path in risk-based vulnerability management (RBVM) and now leading industry voices all agree that the future of VM is RBVM.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.