Study finds companies using the Common Vulnerability Scoring System (CVSS) slower in patching high-risk vulnerabilities


Ed Bellis, CTO at Kenna Security“This research shows what companies with high-performing vulnerability management programs are doing right. One factor stands above all others: Companies that orient their programs around real-world threat information perform better than those that don’t. The report also shows that compliance-based prioritization and CVSS standards for threat scoring negatively impact the ability to identify and patch the threats that matter most.”

News Summary

Kenna Security, a leader in predictive cyber risk, today released a new report showing how companies can build faster, more efficient, and more comprehensive cybersecurity programs based on a detailed look at the practices of high-performing companies.

The research demonstrates that companies most effectively managing security vulnerabilities report using a patch tool, relying on risk-based prioritization tools, and having multiple, specialized remediation teams that focus on specific sectors of a technology stack.

Companies that said they had a mature, well-funded vulnerability management programs were more likely to patch vulnerabilities faster, but that did not necessarily mean the companies patched the riskiest vulnerabilities first. Having adequate security budgets correlated with an ability to patch security threats quickly but did not translate into having a higher capacity to remediate vulnerabilities.

Some internal factors tended to reduce performance. Companies that used the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities for remediation tended to be slower in patching high-risk vulnerabilities. The companies focused on compliance tended to struggle to patch all high-risk vulnerabilities across their organization.

Produced in conjunction with the Cyentia Institute, the fourth volume of Kenna’s Prioritization to Prediction series, uses survey data and standardized metrics to explore how high-performing companies achieve success. The report uses data from the Kenna Security Platform and survey responses to conduct a granular, in-depth analysis of the behavior and associated security outcomes of more than 100 organizations.

The research builds on three previous installments of the series, which have analyzed how hundreds of companies have addresses 300 billion vulnerabilities using risk-based remediation practices. The previous installment provided in-depth analysis of remediation practices at major companies, showing that most companies only have, on average, the capacity to remediate one out of every 10 vulnerabilities, and that half of all companies end each day facing more high-risk cybersecurity vulnerabilities than they started with.

Supporting Quotes

Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute “Over the past year, this series has given readers a unique view into the benchmarks of success in the vulnerability management space, a key practice on the frontlines of cybersecurity. Now, we’ve examined the choices that companies make - their budgets, their priorities, and their organizational structure - to achieve those results.”

Additional Resources

-- View the Executive Summary and download the report, Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation -- Check out the entire series: o Prioritization to Prediction, Volume 1: Analyzing Vulnerability Remediation Strategies o Prioritization to Prediction, Volume 2: Getting Real About Remediation o Prioritization to Prediction, Volume 3: Winning the Remediation Race -- View the Webinar, Distinguishing Common Practices from Best Practices in Vulnerability Management -- Engage with Kenna on Twitter, Facebook, and LinkedIn.

Cyentia InstituteThe Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.

About Kenna SecurityKenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.

Media & Analyst Contact: ------------------------------ Matt McLoughlin ------------------------------ Gregory FCA for Kenna Security ------------------------------ Phone: 610-228-2123 ------------------------------ Email: ------------------------------

Subscribe to Daily Headlines

* I understand and agree that registration on or use of this site constitutes agreement to its user agreement and privacy policy.

Copyright 2019 GlobeNewswire, Inc.

Load comments