Are security and IT teams forever destined to play a game of vulnerability whack-a-mole in their efforts to defend their organization against an increasingly complex cybersecurity landscape? How is progress measured? What does winning look like?
Prioritization to Prediction, Volume 3: Winning the Remediation Race, aims to discover (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?
Nearly 300 Companies with over 2 billion vulnerabilities
High-Risk Vulns are Remediated almost twice as fast as the rest.
Bigger Organization, Bigger Problems — Remediation Velocity to close 50% of Vulnerabilities: Small (63 days), Medium (70.5 days), Large (90.5 days)
Top Performers remediate vulnerabilities 3X faster than the average
Remediation Velocity for known exploits — Top Performers remediate 75% in 77 days, Others remediate 75% in 248 days
Top Performing Industries — Oil/Gas/Energy, Banking, and Transportation
Top Performers by Size — Small(42%), Medium(36%), Large(22%)
Remediation Capacity measures the proportion of open to closed vulnerabilities per month.
Organizations regardless of size or industry have the capacity to patch 1 in 10 vulnerabilities.
The Top Performers can buck this trend and patch 2.5 times more than the average organization
Net Remediation Capacity of High-Risk Vulnerabilities — Half of Organizations are Falling Behind, ⅙ Are Maintaining Pace, ⅓ Are Gaining Ground on Vulnerabilities
Can organizations remediate all new vulnerabilities in their environments?
No. While small businesses perform better than the average, they likely lack the resources to patch all of their vulnerabilities. While larger enterprise also have far greater resources, it’s still not enough to keep up with ballooning technical debt and exponentially increasing infrastructure complexity.
Can organizations remediate all of the new High-Risk vulnerabilities in their environments?
YES! But you’ll have to read the full report to get the details.