ON-DEMAND TRAINING:  
Build your risk-based vulnerability program
Contact Us
Talk to an Expert
Request a demo

The State of Risk-Based Vulnerability Management in 2021

Mar 30, 2021
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

Being the first at something means that you have something to prove.

The proof keeps coming.

At Kenna Security, we pioneered the strategy of risk-based vulnerability management (RBVM) in an effort to modernize one of cybersecurity’s foundational disciplines. And today, we’re releasing some year-to-year comparisons of our customers’ results.

Good news. The data shows that Kenna customers are getting faster and smarter about vulnerability management

We should state up front there is some bias in the data. Since this dataset is entirely made up of Kenna Security customers, you can make some assumptions that they have agreed that taking a risk-based approach to vulnerability management is the right way to go.

Coverage and efficiency

 

When we evaluate the success of our customers, we tend to look at four broad metrics: coverage & efficiency (these two are intertwined), velocity, and remediation capacity. Together, these metrics provide a comprehensive window into the results within our customers’ VM programs. 

There’s a relatively easy way to think about coverage and efficiency. Coverage is basically the percentage of existing high-risk vulnerabilities a company has eliminated from its systems. In other words, “if you have 100 high-risk vulnerabilities, how many did you fix?” Efficiency measures something slightly different. It is the ratio of high-risk to not high risk vulnerabilities that a company has patched. In other words, “if you fix 100 vulnerabilities, how many of them were actually high risk?” 

Each dot on the charts above represents a single company. A dot that is higher represents a company that is more efficient than one below it. A dot that is farther to the right represents a company that has better coverage. 

As you can see from the two charts, not only are more companies adopting risk-based vulnerability management, many more companies have moved higher and farther to the right. That’s good news. 

Velocity

Now let’s look at velocity. 

Typically, companies measure vulnerability remediation through a metric known as mean time to remediation. That metric, while important, only looks at vulnerabilities that companies have closed, and it doesn’t look at vulnerabilities left open. 

Instead, we use a survival analysis to look at how long it takes to remediate half of the instances of a vulnerability in the system. It’s represented in these charts. The shaded area under the curve are vulnerabilities that have not been remediated. Over time, the shaded area gets smaller. 

Essentially, the steeper the curve, the faster a company is at vulnerability remediation. As you can see, companies are getting faster. The time it took companies to reach the 50 percent mark last year was more than 158 days. This year, it was 27 days. 

Capacity

Last, let’s look at capacity.

graph shows comparison of net remediation for high risk vulns among firms

 

These charts are a little more straightforward. It groups companies according to their ability (or inability) to reduce the number of vulnerabilities on their systems over the course of a month. Keep in mind, that much like the other measures, risk feeds this metric. In other words, we prefer to look at capacity by how many high-risk vulnerabilities an organization can remediate in a given time frame.

Vulnerability management is an overwhelming problem, and lots of companies struggle to keep up. Last year, about two-thirds of companies reduced their vulnerability debt or were treading water. This year, that number rose to 71 percent. 

Within the data, there’s a bit of ambiguity. The number of companies that reduced vulnerability debt declined, while the percentage of companies treading water increased. Regardless of this, a smaller percentage of companies were losing ground year-over-year. 

Vulnerability management can be a major challenge for organizations no matter their size, but our data shows that market-shifting changes can be made in as little as a few years. In all, it’s an extremely positive outlook, powered by risk-based vulnerability management.

To see how Kenna’s RBVM platform can help you reduce your risk book a demo today.

Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

2021 New Year’s Security Resolution: Fix The Right Things, Everything Else Can Wait

To say that 2020 was tough is an understatement, and at times it was difficult to imagine even the glimpse of a silver lining. However, those who know me best will say I’m the eternal optimist and, as such, I was determined to finish the year on a positive note.  Reflecting on the many discussions…

READ MORE
Industry

“New-School” Vulnerability Management vs. Old-School Vulnerability Management: A 7 Round Smackdown

I’ve been talking about the benefits of adopting a risk-based approach to vulnerability management (VM) for some time now. Since Jeff Heuer and I founded Kenna Security, in fact. For those of you who’ve already heard it and are sold—I hope this post rings true about the benefits of risk-based (“New-School”) VM over plain, old…

READ MORE
Risk-Based Vulnerability Management

Analysts Agree: Risk-Based Vulnerability Management a Priority for 2021

Taking a risk-based approach to vulnerability management has always been our priority, and lately the industry has followed suit. Now in a new blog listing Gartner’s Top 10 Security Projects for 2020-2021, it’s clear that Gartner thinks it should be a priority for you, too. For a sense of why RBVM is a top priority…

READ MORE
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.