Most security leaders feel their programs are mature, but data reveals otherwise
84% of security and IT leaders feel their enterprise programs are mature, but a deeper dive reveals a major disconnect between perception and reality, Vulcan Cyber reveals.
“We already know most enterprise programs are immature – we see it every day in the field. What caught us off guard was that the vast majority of respondents felt otherwise,” said Yaniv Bar Dayan, CEO of Vulcan Cyber.
“Given the amount of breaches caused by known, unpatched vulnerabilities, that reveals a surprising disconnect that merits a closer look. So we mapped the survey data to our maturity model – the only way to raise the bar for vulnerability management is to show IT leaders how to transition their programs from managing vulnerabilities to remediating them.”
Key research findings
- The most mature element of enterprise vulnerability management programs are vulnerability scanning (72%), followed by the effective use of vulnerability remediation tools (49%) and vulnerability prioritization (44%).
- The three least-mature elements are orchestrated, collaborative remediation (48%), continuous, automated remediation (48%) and business alignment around cyber hygiene objectives (31%). This indicates that vulnerability management processes are siloed, ad-hoc, and inefficient, calling into question their ability to produce outcomes that actually remediate vulnerabilities and secure IT.
- 89% of security and IT teams say they spend at least some time collaborating with cross-functional teams to remediate vulnerabilities, with 42% reporting they spend “a lot” or “too much” (7%) time every week working with other teams. A notable 83% of companies that said they spend too much time collaborating with other teams have 500-1,000 employees.
- Roughly 50% of IT and security teams share responsibility for key remediation functions (identifying vulnerabilities, prioritization, crafting remediation strategies, deploying patches and remedies, etc.), revealing an opportunity to facilitate more effective and efficient collaboration by clearly defining the division of labor.
“Vulnerability scanning and prioritization are essential functions, but they are the bare minimum – not what constitutes a mature program,” Bar-Dayan continues.
“In our experience, program bottlenecks are further along in the remediation lifecycle, stemming from inefficient cross team collaboration. Changing that requires organizations to update and automate their remediation processes. It’s a serious undertaking, but one that transforms vulnerability management programs into a powerful lever for shrinking security debt and strengthening the company’s security posture.”