Despite hardworking vulnerability management teams, unpatched vulnerabilities remain. A typical organization has tens of thousands of open vulnerabilities—and that number continues to grow.
But why? What makes vulnerability management so difficult to do well?
In this article, we’ll examine the six most pressing challenges, and explain what vulnerability management teams really need to overcome them.
The Top Challenges Facing Vulnerability Management Teams
#1 Incomplete asset inventory
Every IT professional understands the importance of an accurate, current register of digital assets. Perhaps the most common form—the Configuration Management Database, or CMDB—has been a feature of the globally-used ITIL framework since the 1980s. Unfortunately, keeping an up-to-date Configuration management database (CMDB) was tough back then, and today it’s a tremendous challenge.
You can only scan and patch what you can see. With complex environments and shadow IT, many organizations don’t fully grasp the extent of their attack surface. This poses a huge risk. If some assets are unknown, they may also be unpatched and potentially vulnerable—which, as we’ve seen, can create an easy entry point for an attacker.
#2 Overwhelming scope
According to IBM, the average organization with 1,000+ employees identifies 779,935 vulnerabilities when running a scan. Over any six months, roughly 28% of these remain unmitigated—and as a result, these organizations have an average backlog of 57,555 identified vulnerabilities.
These numbers are insane. Today’s vulnerability management teams face an impossible challenge, as there is simply no way to patch this many vulnerabilities with the resources available.
#3 Prioritizing vulnerabilities
If you can’t do everything, the solution is to prioritize.
The Common Vulnerability Scoring System (CVSS) is the most widely used scoring system for vulnerability risk. It assesses vulnerabilities on a five-tiered scale from ‘None’ to ‘Critical.’ However, CVSS scores are generic and don’t explain the risk a vulnerability poses to a specific organization—what’s critical for one organization could be negligible for another.
This creates a challenge for prioritization. In practice, even the list of critical vulnerabilities identified by a scan is often too long to fully address. Meanwhile, vulnerabilities could be overlooked due to low CVSS scores that actually pose a significant risk to their organization.
#4 Manual processes and lack of automated response
Many of the processes surrounding vulnerability prioritization and remediation are manual, making them difficult to scale and prone to human error. Patching, in particular, is slow and arduous and often requires time-consuming back-and-forth communication between the VM team, asset owners, and other stakeholders before the patching process can even begin.
When patching does begin, it’s typically a manual process where VM teams are forced to start from scratch for each new vulnerability. With limited integration between security and IT tools—and often no automation —the process is inefficient and labor-intensive. In fact, according to a recent research study, Forrester determined that 61% of security practitioners find it extremely challenging to automate incident response playbooks.
#5 Monitoring and reporting
Keeping a record of vulnerability management processes and KPIs is essential, but it’s tough to do reliably and thoroughly when everything is manual. Organizations can (and do) define processes to record activities and outcomes, but there will always be gaps in manual recording, and these activities add even more manual work to an already arduous process.
IBM found only 27% of organizations have visibility into the vulnerability management life cycle because keeping track of vulnerability identification, prioritization, and remediation manually is a huge challenge. As a result, many organizations have limited visibility of their past and present vulnerability remediation activities, making it difficult to truly understand vulnerability risk or investigate possible mistakes.
#6 Lack of human resources
The omnipresent cybersecurity skills gap leaves no team unhindered, and vulnerability management is among the hardest hit. With an endless workload and many manual processes, teams are always playing catch-up—and it’s only a matter of time until an unpatched vulnerability is exploited.
What’s Needed for Better Vulnerability Management?
In its 2021 Data Breach Investigations Report, Verizon claims the mantra for vulnerability management should be smarter, not harder. VM teams need help from technology to find and fix the highest-risk vulnerabilities while discarding false positives and low-impact results. This will reduce vulnerability risk and relieve some of the overwhelming burden vulnerability management teams face.
As Verizon puts it:
“Anything you can do to avoid patching vulnerabilities that do not improve your security keeps you just as secure but involves much less work (and less chance of burnout from your employees).”
Today, Vulnerability management teams need four things:
- An accurate asset inventory that provides complete visibility of their environment.
- Fast, intelligence-led prioritization of vulnerabilities that threaten their organization.
- Continuous monitoring of the vulnerability management process and outcomes.
- Comprehensive automation and orchestration to reduce effort and improve outcomes.
With greater visibility, accurate prioritization, enhanced monitoring and audit, and more orchestration and automation support, VM teams can dramatically reduce the risk of unpatched vulnerabilities.
Uplevelling Vulnerability Management for 2023 (and Beyond)
So how can teams obtain the capabilities they need to meaningfully reduce vulnerability risk?
To answer this question, we’ve released a new white paper:
Download the white paper today to learn how your organization can orchestrate a comprehensive vulnerability identification, prioritization, and remediation program based on your specific risk profile—while dramatically reducing the manual burden on your vulnerability management team.
Read the white paper to learn:
- The four essential requirements for risk-based vulnerability management, and how they combine to drastically improve security outcomes.
- How to unify security and IT operations tools, allowing teams to more effectively identify, prioritize, and remediate vulnerabilities.
- How Cyber Fusion can help teams accurately prioritize vulnerabilities, eliminate false positives, decrease manual burden, and reduce vulnerability risk.