State of Vulnerability Management Programs in 2023
Vulnerability management (VM) programs can help organizations achieve software supply chain security and cyber resilience. Do leaders consider their organization’s current VM program up to the task?
One minute insights:
- One-fifth of respondents report their organization’s VM program has less funding than required
- About one-third of surveyed leaders say their VM program’s metrics and reporting are ineffective
- Many respondent organizations that outsource VM processes do so for network scanning, threat intelligence or application scanning
- The majority of respondent organizations include network access control implementation or penetration testing in their VM strategies
- Splitting responsibilities for vulnerability management and patch management across different teams is a common struggle among surveyed leaders
Almost half of surveyed leaders report their organization’s VM program has an adequate budget, and many have seen it increase over the last year
Nearly half (49%) of all respondents indicate that the budget of their organization’s VM program is adequate, while one-fifth (20%) have less funding than they require.
Question: Please share any final thoughts on your organization’s vulnerability management program.
We are being forced by government to put a VM in place for all our business which is a good move on their part, however we are still limited by budget.
Requires dedicated resources to stay current.
VM is currently the most discussed budget topic.
Most consider their VM program’s vulnerability assessment effective, but over one-third find metrics and reporting to be lacking
67% of surveyed leaders report that their organization’s VM program is evaluated at least quarterly if not more frequently, with about one-fifth (19%) evaluating the program on a continuous basis.
Most respondents note that vulnerability assessment (69%) or remediation (64%) are effective aspects of their organization’s VM program...
Question: Please share any final thoughts on your organization’s vulnerability management program.
Since the pandemic started, our VM was totally recalibrated to accommodate new requirements given the remote environment needs.
While we have matched our targets on identifying and assessing our potential vulnerabilities, it is still a long road to improve our continuous monitoring and leverage AI capabilities to automate further the processes and depend less on manual activities.
Respondent organizations are divided on VM process outsourcing, but most who take this route use it for network scanning
Most respondents at organizations that only outsource select VM processes (n = 123) indicate that network scanning (59%), threat intelligence (50%) or application scanning (47%) are handled by external parties.
Question: Please share any final thoughts on your organization’s vulnerability management program.
Distributed responsibility is definitely the biggest issue.
Continuous vulnerability assessment and remediation is important but time consuming. We are leaning towards outsourcing that task to an MSSP.
Splitting VM and patch management across different teams presents a challenge for many respondent organizations
Almost three-quarters (72%) of all surveyed leaders say their organization uses endpoint protection platforms for its VM program.
Over half note that their organization’s VM program includes tools for vulnerability assessment (55%), network traffic monitoring (54%) or patch management (52%).
Having different teams assigned to vulnerability management and patch management (43%) is the most reported challenge facing VM programs at respondent organizations.
Other commonly cited hurdles include inadequate visibility into the remediation process (32%), complex environments (30%) and having a configuration management database (CMDB) that is incomplete or out-of-date (30%).
Question: Please share any final thoughts on your organization’s vulnerability management program.
A risk register is key as not all vulnerabilities can be remediated and immediately.
The greatest challenges regarding VM seem to be keeping up with changes in the local and global "technology environment", the changes and additions in legal and policy requirements, and managing the associated budget to provide for adequate control and management.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.