What are the keys to effective vulnerability management? Skybox set out to answer this question in a recent global survey of IT security practitioners in our 2015 Enterprise Vulnerability Management Trends Report.

Skybox surveyed 974 IT security practitioners from more than 50 countries in various roles and industries. The survey focused on large, complex networks on an enterprise scale, and was designed to assess challenges, satisfaction, and areas in need of improvement in vulnerability management programs.

The Trends Report revealed dissatisfaction with vulnerability management programs directly correlated the maturity level of the program in place and the seniority of the respondent. Think of vulnerability management as a cyber-battlefield. Those with a plan of attack feel most confident in taking on the enemy; those with the most responsibility and down in the trenches are the most worried.

Formalize Your Defenses

The importance of vulnerability management is higher now than ever. A recent Symantec report showed five out of six large companies reported they were the target of a cyber attack in 2014. In the midst of these advanced threats, teams struggle to keep up with the sea of vulnerabilities announced (just look at this super-packed Patch Tuesday with Oracle, Adobe, Google, and Mozilla piling on to Microsoft’s already hefty April update). Beyond vulnerability assessment, vulnerability prioritization and remediation continue to prove difficult in an era of big data and a patchwork of vulnerability management solutions.

Is there a silver bullet to improving all of these facets in one fell swoop? The Enterprise Vulnerability Management Trends Report indicates there is: formalized policy.

The survey highlighted a lack of formal vulnerability management policy lead to little faith in the program. Respondents working with documented and audited policies reported the highest level of program satisfaction—67 percent. An informal policy yielded 38 percent satisfaction, and respondents who essentially answered, “What policy?” reported only 14 percent satisfaction.

The Generals and the Infantry

C-level executives with heightened responsibility and expectations for the program’s success were the least satisfied (44 percent); technical vulnerability management program owners followed with 53 percent satisfied. Those with no direct involvement in the program were most satisfied at 67 percent reflecting the “not my problem” position.

But for any CISO pulling their hair out, Skybox CEO Gidi Cohen shares this advice:

“Executives have high expectations of their vulnerability management programs, and high accountability for the results. … Our findings indicate that the management time required to develop a formal policy, document procedure, and audit results will yield a strong, positive return.”

Developing policy might not seem like the high-action, gun slinging approach the CISO generals are hoping for, but the survey responses indicate it will result in a more efficient program, safer networks, and improved team morale. What’s more, with all the gadgets and solutions out there promising the world in vulnerability management, policy that meets the needs of your organization is one thing that can’t be bought.

The Vulnerability Management Trends Report provides many more insights on vulnerability management “in the wild.” For the full report, click here.


What’s Your View?

Are you involved in vulnerability management? What’s your level of satisfaction? Where do you see room for improvement? The comments are open!