logo

Executive Summary

Prioritization to Prediction

Volume 3: Winning the Remediation Race

Vulnerability remediation efforts can often feel like a never-ending treadmill of patch and repeat.

Are security and IT teams forever destined to play a game of vulnerability whack-a-mole in their efforts to defend their organization against an increasingly complex cybersecurity landscape? How is progress measured? What does winning look like?

Prioritization to Prediction, Volume 3: Winning the Remediation Race, aims to discover (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?

Get Access to the Full Report


KEY FINDING

Factors in the Remediation Race

  • Nearly 300 Companies with over 2 billion vulnerabilities

  • High-Risk Vulns are Remediated almost twice as fast as the rest.

  • Bigger Organization, Bigger Problems — Remediation Velocity to close 50% of Vulnerabilities: Small (63 days), Medium (70.5 days), Large (90.5 days)

KEY FINDING

Who Wins The Race

  • Top Performers remediate vulnerabilities 3X faster than the average

  • Remediation Velocity for known exploits — Top Performers remediate 75% in 77 days, Others remediate 75% in 248 days

  • Top Performing Industries — Oil/Gas/Energy, Banking, and Transportation

  • Top Performers by Size — Small(42%), Medium(36%), Large(22%)

KEY FINDING

A New Theory of Remediation Capacity

  • Remediation Capacity measures the proportion of open to closed vulnerabilities per month.

  • Organizations regardless of size or industry have the capacity to patch 1 in 10 vulnerabilities.

  • The Top Performers can buck this trend and patch 2.5 times more than the average organization

  • Net Remediation Capacity of High-Risk Vulnerabilities — Half of Organizations are Falling Behind, ⅙ Are Maintaining Pace, ⅓ Are Gaining Ground on Vulnerabilities

Conclusion

Can organizations remediate all new vulnerabilities in their environments?

No. While small businesses perform better than the average, they likely lack the resources to patch all of their vulnerabilities. While larger enterprise also have far greater resources, it’s still not enough to keep up with ballooning technical debt and exponentially increasing infrastructure complexity.

Can organizations remediate all of the new High-Risk vulnerabilities in their environments?

YES! But you’ll have to read the full report to get the details.