The challenge lies in the sheer volume of interconnected factors at play: how should businesses measure success? what vulnerabilities should be prioritized? how quickly do patches need to be applied? how many vulnerabilities can be patched? does increasing budgets decrease risk?
We’ve come a long way towards answering the above questions in the first three volumes of our Prioritization to Prediction research series (links below) and now we’re looking at the practices of real enterprise vulnerability management programs to measure how they impact the success (or failure) on vulnerability remediation performance.
Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation, combines qualitative survey data on enterprise vulnerability management practices with quantitative measures of actual remediation performance to reveal the business factors that contribute to high-performing vulnerability management programs.
Companies that gave themselves higher VM maturity ratings had strong remediation performance across almost all measures, seeing a significant correlation with better coverage, velocity, and capacity to address the vulnerabilities in their environments.
Enterprises that had VM responsibilities split between different internal organizations cut their average time to remediate vulnerabilities by a month and a half and were less likely to be falling into vulnerability debt.
Prioritizing remediation efforts based on compliance requirements correlate to lower coverage of high risk vulnerabilities, and using Common Vulnerability Scoring System (CVSS) scores resulted in slower resolution.
Companies that employed centralized patch management tools over a majority of their infrastructure addressed 20% more high risk vulnerabilities, had a 10% increase in accuracy targeting the riskiest vulnerabilities, and are able to handle 22% more vulnerabilities than ones who did not.
There are some clear characteristics that factor heavily into increased performance for successful VM programs. Some are relatively intuitive, like leveraging tools and automation to guide the process. Others are more obscure, like balancing compliance requirements with the degradation imposed on vulnerability coverage. And yet others are reassuring, knowing that a higher program maturity does indeed result in significantly better outcomes.
To learn more, please download the full report.
Catch up on our prior volumes:
Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation provides a novel analysis of survey factors against actual performance outcomes. The summary of these findings at the end of the report serves as a great summary of the findings, but more than that, can serve as a list of data-driven recommendations as enterprises look to lower their risk.