Report: IT Security Teams Struggle to Mitigate Vulnerabilities


Hear from CIOs, CTOs, and other senior executives and leaders on data and AI strategies at the Future of Work Summit on January 12, 2022. Learn more

Vulcan Cyber’s latest research on vulnerability risk prioritization and mitigation programs has revealed that IT security teams struggle to move from simple vulnerability identification to meaningful response and mitigation. Because of this, business leaders and IT management professionals are limited in their ability to obtain the important information needed to effectively protect valuable business assets, making vulnerability management programs largely ineffective.

Risk without a business context is irrelevant. The survey found that the majority of respondents tend to group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). This is of concern, because the prioritization of risks based on groupings of infrastructures and applications without an asset context is not significant. Failure to correlate vulnerability data with actual business risk exposes organizations.

The vast majority of decision makers reported using at least two of the following models to assess and prioritize vulnerabilities: Common Vulnerability Scoring System (CVSS) at 71%, OWASP top 10 (59%), reported severity by scanner (47%), CWE Top 25 (38%) or bespoke scoring models (22%). To provide meaningful cyber risk management, a tailored scoring model that takes into account several industry standard scoring systems is ideal and most effective.

The more control a security team has over risk scoring and prioritization, the more effective it can be at mitigating cyber risk. But there is no industry-wide framework for risk-based vulnerability management, which means cyberhygiene continues to be lacking and vulnerabilities continue to generate risk.

Sensitive data exposure was ranked as the most common business concern resulting from application vulnerabilities, as noted by 54% of respondents. This was followed by broken authentication (44%), security configuration errors (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also identified vulnerability MS14-068, also known as Microsoft Kerberos unprivileged user accounts, as the vulnerability of greatest concern to their organizations. Interestingly, this vulnerability has been reported for larger vulnerabilities such as MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL, aka Heartbleed) and MS17-010 (EternalBlue).

Since this investigation was conducted earlier this year, the Log4J or Log4shell vulnerability announced this week was not reflected in the report data. However, Vulcan Cyber ​​sees how easy it is to exploit this vulnerability, with ransomware continuing to be a favorite playbook. This, again, underscores the importance of collaboration between business leaders and IT teams to effectively reduce cyber risks to their organizations through ongoing cyber hygiene efforts and vulnerability management programs. well executed.

Vulcan Cyber’s report is based on a survey conducted by Pulse of over 200 corporate IT and security executives.

Read the full report from Vulcan Cyber.


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member


Comments are closed.