Vulcan Cyber announced the latest results of its ongoing research into cyber risk remediation initiatives and risk impact on business operations. In a survey of enterprise IT security executives, 76% of respondents indicated that a security vulnerability had impacted their business in the last year. These findings underscore the pervasive impact security vulnerabilities continue to have on business, as well as the ineffectiveness of traditional approaches to vulnerability management.
Conducted by Pulse, the latest Vulcan Cyber vulnerability remediation survey examines the effectiveness of risk and vulnerability management programs in enterprises today and their impact on cyber hygiene. According to the results, a majority of respondents, 52%, report their organization places only a moderate level of importance on risk-based vulnerability management, compared to 33% who consider risk-based vulnerability management very important.
“There is a clear and widening gap between enterprise vulnerability management programs and the ability of IT security teams to actually mitigate risk facing their organizations,” said Yaniv Bar-Dayan, CEO and co-founder, Vulcan Cyber. “As security vulnerabilities proliferate across digital surfaces, it’s increasingly critical that all enterprise IT security stakeholders make meaningful changes to their cyber hygiene efforts. This should include prioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, particularly in businesses with advanced cloud application programs.”
Other key findings from the Vulcan Cyber survey include:
- The majority of respondents reported average vulnerability dwell times of more than one day (46%) with a significant number of respondents (31%) reporting dwell times of more than a week.
- Among the vulnerability scanners used by IT security teams for infrastructure scanning, Qualys is the most popular, followed by Crowdstrike and AWS Inspector, then Tenable.sc, Tenable.io, Palo Alto Networks Prisma Cloud, Rapid7 InsightVM, Rapid7 Nexpose, Orca, and Aqua Security, in descending order.
- Palo Alto Networks Prisma Cloud is the most popular vulnerability scanner used for applications, followed by Tenable WAS, Rapid7 InsightAppSec, Qualys WAS, Snyk, WhiteHat, Veracode, Micro Focus Fortify, HCL AppScan, WhiteSource, Burp Suite, and Checkmarx, in descending order.
- Overall, 76% of respondents use the same prioritization (risk analytics) model for both infrastructure and application security.
- The majority of respondents (30%) evaluate cyber risk using external, technically oriented models such as ATT&CK in contrast to external, business-oriented models like FAIR (20%). 27% of respondents use a bespoke, home-grown scoring model.