Executive Summary

Prioritization to Prediction

Volume 4: Measuring What Matters in Remediation

Discovering the factors at play in successful vulnerability management is an extremely complex endeavor.

The challenge lies in the sheer volume of interconnected factors at play: how should businesses measure success? what vulnerabilities should be prioritized? how quickly do patches need to be applied? how many vulnerabilities can be patched? does increasing budgets decrease risk?

We’ve come a long way towards answering the above questions in the first three volumes of our Prioritization to Prediction research series (links below) and now we’re looking at the practices of real enterprise vulnerability management programs to measure how they impact the success (or failure) on vulnerability remediation performance. 

Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation, combines qualitative survey data on enterprise vulnerability management practices with quantitative measures of actual remediation performance to reveal the business factors that contribute to high-performing vulnerability management programs.

Get Access to the Full Report


Maturity is the single biggest success factor for Vulnerability Management (VM).

  • Companies that gave themselves higher VM maturity ratings had strong remediation performance across almost all measures, seeing a significant correlation with better coverage, velocity, and capacity to address the vulnerabilities in their environments.


The structure of your VM teams matter.

  • Enterprises that had VM responsibilities split between different internal organizations cut their average time to remediate vulnerabilities by a month and a half and were less likely to be falling into vulnerability debt.


Compliance and common vulnerability scoring can hinder performance.

  • Prioritizing remediation efforts based on compliance requirements correlate to lower coverage of high risk vulnerabilities, and using Common Vulnerability Scoring System (CVSS) scores resulted in slower resolution.


Patch and vulnerability management tools are keys to coverage, capacity, and velocity.

  • Companies that employed centralized patch management tools over a majority of their infrastructure addressed 20% more high risk vulnerabilities, had a 10% increase in accuracy targeting the riskiest vulnerabilities, and are able to handle 22% more vulnerabilities than ones who did not.


There are some clear characteristics that factor heavily into increased performance for successful VM programs. Some are relatively intuitive, like leveraging tools and automation to guide the process. Others are more obscure, like balancing compliance requirements with the degradation imposed on vulnerability coverage. And yet others are reassuring, knowing that a higher program maturity does indeed result in significantly better outcomes. 


To learn more, please download the full report.

Catch up on our prior volumes:

Prioritization to Prediction, Volume 1: Analyzing Vulnerability Remediation Strategies

Prioritization to Prediction, Volume 2: Getting Real About Remediation

Prioritization to Prediction, Volume 3: Winning the Remediation Race

Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation provides a novel analysis of survey factors against actual performance outcomes. The summary of these findings at the end of the report serves as a great summary of the findings, but more than that, can serve as a list of data-driven recommendations as enterprises look to lower their risk.