-- Not all vulnerabilities and threats need to be identified and tracked -- just those that are relevant to the organization's IT assets. -- Not all vulnerabilities and threats need to be addressed with the same degree of urgency -- prioritization should be determined based on the level of risk and the business value of the IT assets in question. -- Not all remediation need to be based on deployment of software patches or configuration updates (although these processes should be automated to a much higher degree than that currently indicated by the research) -- compensating controls can also be considered in circumstances other than those where no patches or updates are available."Aberdeen's research confirms that improving capabilities in assessing, prioritizing, and remediating threats and vulnerabilities pays off in two ways," said Derek E. Brink, vice president and research fellow for IT Security, Aberdeen. "First, it reduces the costs inflicted by the flood of new threats and vulnerabilities that emerge on a weekly basis. Second, it reduces the total cost of Vulnerability Management, which frees up precious resources to invest in more strategic IT initiatives." Companies should also accept that Vulnerability Management is a never-ending process, and that the cycle of "assess," "prioritize," "remediate" must be continuously repeated. Through better security governance (allocation of limited IT resources) and risk management (prioritization based on business value and the organization's appetite for risk), Best-in-Class performance in Vulnerability Management frees up limited IT resources to invest in projects more directly tied to the "rewarded risks" of innovation and strategic growth. A complimentary copy of this report is made available due in part by the following underwriters: Rapid7 LLC and Shavlik Technologies. To obtain a complimentary copy of the report, visit: http://www.aberdeen.com/link/sponsor.asp?cid=5231. To access all of Aberdeen's complimentary research please visit http://research.aberdeen.com. About Aberdeen Group, a Harte-Hanks Company Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to AberdeenTM for insights that drive decisions. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information - Opportunity - Insight - Engagement - Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com.
© 2008 Aberdeen Group, Inc., a Harte-Hanks Company 451 D Street, Suite 710 Boston, Massachusetts 02210-1928 Telephone: (617) 723-7890 Fax: (617) 723-7897 www.aberdeen.com
Contact Information: Media Contact: Derek E. Brink Aberdeen Harte-Hanks (617) 854-5254 Derek.Brink@aberdeen.com