Vulnerability Management Maturity Part One: Growing Pains

Aug 13, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

The coming-of-age story is a mainstay of the movies. We all love them, perhaps because they feel so familiar. A protagonist faces some sort of dilemma and gets knocked around a bit. There’s a bit of a learning period, and then, the child becomes an adult. 

As metaphors go, the coming-of-age story is a pretty good one for modern vulnerability management programs. In the beginning, there’s chaos. Your organization is getting knocked around by a million vulnerabilities – Cobra Kai is on your tail, so to speak. 

But then, the protagonist meets a kindly karate instructor that teaches discipline and technique. 

To extend the metaphor, data provides the discipline and technique that turn adolescent vulnerability management programs into grownups.  

But nobody becomes a grownup overnight. There’s a long period of growth that comes from using new tools and techniques. 

This is the first of a four-part series on what we like to call the four stages of vulnerability management maturity.

Mindset shift


Because just as children never really know what adulthood will look and feel like, we’ve discovered that the hallmarks of a fully mature vulnerability management program are somewhat different from what we imagined. When we started, we thought that big companies would just use our data and our tools, lower their risk, and live happily ever after. In other words, what we thought was the end of the story was really the training montage. Over the years, however, we saw something different happen inside our customers’ organizations. And that meant we had to work with them to shift performance indicators, align incentives, and help restructure the relationship between security and IT operations. 

The first stage, chaos


So let’s start at the beginning. The first stage of vulnerability management is, for the most part, toddler-time. It’s chaos. The organization faces millions of vulnerabilities, and there’s a widespread (though erroneous) belief that any one of them could be the entry point for a group of hackers that can cause massive damage. Despite the overwhelming size of the problem, most organizations have, on average, the capacity to fix just one out of every ten vulnerabilities. 

What follows isn’t pretty. IT operations – usually tasked with patching vulnerabilities –  and security – whose job it is to assess the severity of vulnerabilities – spend a lot of time fighting over which vulnerabilities to patch and how much time IT should spend on these issues. In some organizations, there’s an additional layer of conflict as varying stakeholders, such as those in finance, sales, or operations begin to argue that their systems require more protection than others. Regulatory issues and compliance with industry standards drive decision-making as well, and not for the better. Too often, companies end up patching vulnerabilities that aren’t dangerous at all.

Sisyphus and the impossible task


Companies in this stage often believe vulnerability management to be a task similar to that of Sisyphus from Greek mythology; a difficult, stressful, and painful exercise that is doomed to failure. Just as Sysphus would never complete his task of rolling the boulder up the mountain, organizations cannot eliminate all vulnerabilities and those chartered with doing so end up suffering away with no hope of victory or respite. Pretty brutal right?

Leveling up your VM


Growing out of this stage means turning to a different set of data. While most organizations only have capacity to patch one out of every 10 vulnerabilities, just 4 percent of vulnerabilities actually pose a threat to the organization

In other words – most organizations have more than enough capacity. What they don’t have is data that tells them which vulnerabilities are actually dangerous. And so begins the journey to modern vulnerability management.


To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.