Hackuity Report Reveals Key Vulnerability Management Strain

Hackuity has released a new report highlighting the mounting pressure faced by security teams as they grapple with an increasing number of Common Vulnerabilities and Exposures (CVEs).

Focusing on the challenges of vulnerability management, the report draws insights from 200 IT security decision-makers in the UK and APAC regions.

Growing Pressure on Security Resources

As CVEs continue to multiply, nearly half of the respondents, at 46%, indicate that this influx has strained their security resources, affecting both corporate security and staff wellbeing.

Furthermore, 26% confess that this pressure has led to data breaches, and more than a third, 36%, report that it resulted in regulatory penalties.

Additionally, 36% experienced delayed incident responses, while 33% admit to missing security alerts due to these pressures. The human impact is notable, with 38% acknowledging that these stresses have led to team burnout.

Consequences of Insufficient Vulnerability Management

Sylvain Cortes, VP Strategy at Hackuity, emphasized the negative effects these pressures have on organizations and their teams' well-being. "We know that teams are feeling the pressure right now - but what’s most concerning is the knock-on effect this is having on organizations and on the team’s well-being," Cortes stated.

He underscored the real-world consequences stemming from poorly managed vulnerabilities, such as missed alerts and financial penalties, emphasizing that the constant barrage of alerts is both stressful and costly.

Current approaches to Vulnerability Management

Despite the urgency, only 36% of organizations utilize a risk-based approach to vulnerability management

Despite the urgency, only 36% of organizations utilize a risk-based approach to vulnerability management, focusing on factors such as asset criticality, exploitability, and business impact.

Most organizations, however, report having formalized processes for identifying vulnerabilities, yet vulnerability management (VM) struggles to obtain the same priority as other IT security projects, as noted by 60% of respondents.

Challenges in remediation and Budget Constraints

The report highlights that the average time to remediate critical vulnerabilities is four weeks, although 21% of organizations report that it can take between one and three months to address these issues.

Operational and budgetary limitations further complicate VM efforts, with 43% citing operational constraints and 41% pointing to financial restrictions.

Staff and skills shortages also pose significant hurdles, with 29% of respondents identifying a lack of in-house skills and 25% noting that frequent staff turnover hinders improvements in VM practices.

Need for Enhanced Security Strategies

Sylvain Cortes stressed the importance of equipping security teams with the necessary tools and intelligence to manage the growing complexity of vulnerabilities effectively.

"Security leaders need to look at how they’re equipping their teams to make sure they can keep pace with the rising volume and complexity of vulnerabilities," Cortes remarked, warning of the wasted time and resources without proper context and intelligence surrounding alerts.

Show full press release

Hackuity, the risk-based vulnerability management provider, released new research revealing the mounting pressure on security teams as they struggle to keep pace with the rising number of CVEs (Common Vulnerabilities and Exposures).

The Vulnerability Management Report explores the challenges of vulnerability management and includes insights from 200 IT security decision-makers across the UK and APAC.

Additional strain

As the number of CVEs continues to rise, nearly half (46%) of respondents say that the volume has placed additional strain on their security teams’ resources impacting not only organizational security but also staff wellbeing.

One in four, 26%, admit this pressure has contributed to a data breach, while more than a third, 36%, report it resulted in a regulatory fine. Over a third (36%) also say it has delayed incident response, and 33% report missed security alerts as a result. In terms of the human impact, 38% report that it has led to burnout within the team.

Knock-on effect

Commenting on the findings, Sylvain Cortes VP Strategy at Hackuity said: “We know that teams are feeling the pressure right now - but what’s most concerning is the knock-on effect this is having on organizations and on the team’s well-being.”

“From missed alerts to fines, there are real consequences at play when vulnerabilities aren’t managed in a way that’s making the best use of team’s time and expertise. The nonstop flood of alerts isn’t just stressful, it’s costly.”

The ability to process and manage vulnerabilities has become ever more critical. Whilst most organizations, 77%, report that they have formalized vulnerability remediation processes in place for identifying vulnerabilities, only 36% have a risk-based approach as the primary method, where vulnerabilities are based on asset criticality‚ exploitability and business impact.

Key findings

It also seems that there is more work to do in moving vulnerability management (VM) higher up the agenda as 60% of respondents reported that it does not receive the same focus as other IT security projects.

Additional key findings from the report include:

Critical Vulnerabilities take on average four weeks to remediate: The mean time to remediation (MTTR) for critical vulnerabilities is four weeks, on average. However, one in five organizations (21%) report that it can take between one and three months to remediate critical vulnerabilities.
The barriers to VM: operational and budget constraints: Although respondents recognize the strain of vulnerability management, they are hindered by operational (43%) and budget (41%) constraints. The issue of staff and skills shortages also play a part with 29% of respondents citing lack of skills within the team and a quarter reporting that high staff turnover prevents them from making improvement to VM practices.

Sylvain Cortes continues: “Security leaders need to look at how they’re equipping their teams to make sure they can keep pace with the rising volume and complexity of vulnerabilities. Without context and intelligence around the alerts, they risk wasting valuable time and resources chasing down threats or missing alerts that could pose the greatest risk for their organization.”

Download PDF version Download PDF version

Add as a preferred source on Google