How can companies get more efficient at patching vulnerabilities?

21 Aug 2019

Image: © Kir Smyslov/

New research found that using a patch tool and relying on risk-based prioritisation can help with effective management of security vulnerabilities.

Predictive cyber risk firm Kenna Security has released a new report that shows the top factors that make companies faster and more efficient in patching vulnerabilities.

The research, produced in conjunction with the Cyentia Institute, uses survey data and standardised metrics to explore how high-performing companies achieve success. It builds on three previous instalments to the series.

“This research shows what companies with high-performing vulnerability management programs are doing right,” said Ed Bellis, CTO at Kenna Security.

Jay Jacobs, data scientist and co-founder and partner at the Cyentia Institute, added: “Over the past year, this series has given readers a unique view into the benchmarks of success in the vulnerability management space, a key practice on the frontlines of cybersecurity.

“Now, we’ve examined the choices that companies make – their budgets, their priorities and their organisational structure – to achieve those results.”

The report concludes that the companies that most effectively manage security vulnerabilities use a patch tool, rely on risk-based prioritisation tools and have multiple, specialised remediation teams to focus on specific sectors of a technology stack.

The research adds that companies that report having mature and well-funded vulnerability management programs were more likely to patch vulnerabilities faster, but that didn’t mean these firms necessarily addressed the riskiest vulnerabilities first.

The report also notes the factors that can hinder a company’s ability to patch high-risk vulnerabilities quickly, such as using the Common Vulnerability Scoring System (CVSS) to prioritise vulnerabilities for remediation. Companies focused on compliance tended to, according to the research, struggle to patch all high-risk vulnerabilities across their organisation.

Previous volumes of these reports have found that the median time-to-remediation is 100 days and that one-quarter of vulnerabilities remain open for more than a year. Additionally, up to 40pc of vulnerabilities observed in enterprise networks are still open today.

You can read the report in full here.

Eva Short was a journalist at Silicon Republic