Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireCybersecurity News

Most risk-based vulnerability management programs ineffective

threat-intel-freepik1170.jpg
December 16, 2021

Vulcan Cyber announced the latest results of its ongoing research into vulnerability risk prioritization and mitigation programs. Its findings highlight the struggle of IT security teams to transition from simple vulnerability identification to meaningful response and mitigation, limiting the risk insights business leaders and IT management professionals need to effectively protect valuable business assets.

According to a Vulcan Cyber survey of more than 200 enterprise IT and security executives conducted by Pulse, 86% of respondents rely on third-party vulnerability severity data to prioritize vulnerabilities with an additional 70% relying on third-party threat intelligence. This trend underscores the status quo in many cyber security organizations today in which many teams over-rely on metrics from third-party sources that lack the necessary context to understand and actually reduce risk specific to the enterprise. 

“While IT security teams work hard to defend the modern enterprise, it’s clear that traditional threat intelligence and metrics like vulnerability severity scores are incapable of generating the business-specific insight necessary for comprehensive protection,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber, “Cybersecurity teams need the insights, processes, and tooling to prioritize risk for the assets that matter most to their business success.”

The Vulcan Cyber survey also found that the majority of respondents group vulnerabilities by infrastructure (64%), followed by business function (53%) and application (53%). Risk prioritization associated exclusively with infrastructure and application groupings is not meaningful without asset context.

“Risk without business context is irrelevant. A CISO doesn’t care about the risk posture of a server and database used by janitorial services to manage paper towel inventory levels. But if the exact same server had thousands of customers’ personally identifiable information on it, that would constitute an entirely different and significantly more severe level of cyber risk,” Bar-Dayan continued. 

The survey data indicates widespread misalignment among vulnerability prioritization practices in use today. 78% of respondents said highly-prioritized vulnerabilities should be ranked lower, while 69% of respondents also said that lower-ranked vulnerabilities should be ranked higher. More than 80% of respondents agreed that they would benefit from increased flexibility to prioritize vulnerabilities based on their particular risk environment. “Gut feel” should be quantifiable in risk measurement. 

To score and prioritize vulnerabilities, the vast majority of decision-makers reported using two or more of the following models: the common vulnerability scoring system (CVSS) (71%), OWASP top 10 (59%), scanner reported severity (47%), CWE Top 25 (38%), or bespoke scoring models (22%). To deliver meaningful cyber risk management a bespoke scoring model that accounts for several industry-standard scoring systems is ideal and most efficient.

“Security teams need more control for better accuracy in scoring, prioritizing, and mitigating cyber risk. Risk-based vulnerability management practices lack a common framework, which limits the ability of business leaders and IT teams to work collaboratively with security to effectively reduce cyber risk to their organizations. As a result, cyber hygiene continues to be fall short almost industry wide and organizations remain exposed,” said Bar-Dayan.

A slight majority of survey respondents (54%) reported the most concern over sensitive data exposure as the result of application vulnerabilities, followed by broken authentication (44%), security misconfigurations (39%), insufficient logging and monitoring (35%), and injection (32%). Respondents also indicated that MS14-068 (Microsoft Kerberos unprivileged user accounts) was the most concerning vulnerability to their organizations, over high-profile vulnerabilities such as MS08-067 (Windows SMB aka: Conficker, Downadup, Kido, etc.), CVE-2019-0708 (BlueKeep), CVE-2014-0160 (OpenSSL aka: Heartbleed), and MS17-010 (EternalBlue).

For additional insights from the most recent Vulcan Cyber survey, download the whitepaper, How are Cyber Security Teams Prioritizing Vulnerability Risk?

KEYWORDS: cyber security risk management security vulnerability threat intelligence

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Ineffective Communication Weakening Travel Risk Programs

    Ineffective Communication Weakening Travel Risk Programs

    See More
  • SEC0421-ProdSpot-Tenable-Slide12-900px

    All-in-one Risk-based Vulnerability Management Platform

    See More
  • Old Newswire Feature Image

    Most Corporate Security Programs Not Integrated with Enterprise Risk Management

    See More

Related Products

See More Products
  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing