CRA Survey: To Improve Vulnerability Management, Organizations Turn Inward

Respondents focus less on attacks from the outside and more on the home turf failures that allow attacks to succeed in the first place

New York, NY, July 6, 2023 – Organizations are increasingly turning inward in their quest to improve vulnerability management. They understand that their own failures are a bigger threat than those who would attack from the outside, according to 210 security and IT leaders and executives, practitioners, administrators, and compliance professionals surveyed by CyberRisk Alliance in April 2023.  

“We’re on a mission to try and remove obsolete technology from our organization, but we’re bad at retiring and rationalizing solutions,” said one respondent. “And so our strategy over the next few years is to really tackle that.”

Among the key takeaways:

• Business planning and sound policies should be integral to vulnerability management. Respondents repeatedly mentioned pain points related to organizational growth, asset management, and getting buy-in from both upper management and end users. As one respondent voiced, “our organization has grown significantly in the last 3 years. With 40,000 colleagues and 13 organizations coming together, the process can be slow and different across each entity, which requires more time and resources to remediate.”
• Legacy systems have prevented some from patching vulnerable tech. Just 51% approve of how their org has decommissioned old IT to ensure proper patch management. In addition to vulnerabilities, poor configuration of systems has multiplied false positives and alerts some organizations struggle to keep up with.
• There’s no “one way” to manage vulnerabilities. Respondents showcase different methods for tracking vulnerabilities and coordinating security updates. For example, 54% use a dedicated VM system for all security, while 41% use separate workflows to track different types of vulnerabilities. Some employ an issue tracker, while others rely on manual communication to get the job done.
• Resourcing is a universal challenge, with the most frustration reserved for how funding and staff is allocated, and a lack of automated capabilities.  

For more detailed findings and analysis, the full research report is available for download here.

About CyberRisk Alliance  

CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, ChannelE2E, MSSP Alert, InfoSec World, Identiverse, Cybersecurity Collaboration Forum, its research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, the Official Cyber Security Summit, TECHEXPO Top Secret, and now LaunchTech Communications. Click here to learn more.

Sponsors:

About Lacework

Lacework is the security company for the cloud. The Lacework Cloud Security Platform is offered as-a-Service and delivers build-time to run-time threat detection, behavioral anomaly detection, and cloud compliance across AWS, GCP, Azure, and Kubernetes services, workloads, and containers. Trusted by enterprise customers worldwide, Lacework significantly drives down costs and risk, and removes the burden of unnecessary toil, rule writing, and inaccurate alerts.  

About Invicti

Invicti Security — which acquired and combined DAST leaders Acunetix and Netsparker — is on a mission: application security with zero noise. An AppSec leader for more than 15 years, Invicti’s best-in-DAST solutions enable DevSecOps teams to continuously scan web applications, shifting both left and right to identify, prioritize and secure a company’s most important assets. Our commitment to accuracy, coverage, automation, and scalability helps mitigate risks and propel the world forward by securing every web application. Invicti is headquartered in Austin, Texas, and has employees in over 11 countries serving more than 4,000 organizations around the world. For more information, visit our website or follow us on LinkedIn.