NEW YORK, NY--(Marketwired - Nov 4, 2015) - NopSec released its latest report today, "2016 Outlook: Vulnerability Risk Management and Remediation Trends." Based on a recent survey of 200+ security and IT professionals, the report examines the current state of vulnerability risk management, top prioritization and remediation challenges, and 2016 priorities. View the infographic now.

The 2015 Verizon Data Breach Investigations Report found that 99.9 percent of vulnerabilities were exploited over a year after they were disclosed. Organizations are not able to secure the holes within their environment faster than cybercriminals can exploit them. This was confirmed in the survey; 82 percent of organizations indicated their current remediation process is broken, and 37 percent noted that current remediation processes need major improvement. 

"Vulnerability scanners provide visibility into potential network, application and endpoint risks, but much of the value of that data is lost in a never-ending deluge of spreadsheets, ineffective business processes and lack of cross-team communication. Security teams are already drowning, and more data is not always the answer," added NopSec's Vice President of Strategy and Operations, Kevin Ketts. "Organizations need clear visibility on what to fix, as well as when and how to fix it."

Additional report highlights include:

  • Even though organizations claim to be actively detecting threats across their environment -- nearly 70 percent noted they scan on a daily or weekly basis -- they are still lost when it comes to next steps.
  • More than half (51 percent) of organizations surveyed cited data overload as their biggest challenge to prioritizing data generated from vulnerability scanning, followed by lack of resources (46 percent) and too many false positives (34 percent).
  • Roadblocks to faster remediation include lack of resources (78 percent), competing priorities among internal teams (76 percent) and validity of vulnerability data/ false positives (70 percent).
  • However, the boardroom might not fully understand the importance of vulnerability remediation -- 60 percent of those surveyed stated company executives are only "somewhat" to "not at all" informed about the risk posed to their business from today's security threats. 
  • Organizations recognize the value of additional context with the majority of respondents (85 percent) citing the use of open source, commercial threat intelligence feeds, or a combination of both, within their current vulnerability management programs. 
  • Yet, security vulnerability prioritization is not as sophisticated -- 45 percent of respondents are still using basic risk forecasting based on the CVSS score, asset classification and/or manual processes.
  • Surprisingly, only 40 percent of the organizations surveyed stated they have metrics in place to measure the success of their vulnerability management program. 

Organizations know that improving prioritization and remediation is critical to drastically reducing the risk of a data breach. Respondents called out three vulnerability management priorities in 2016: implementing tools to improve vulnerability and threat prioritization (50 percent), scanning networks and applications more frequently (42 percent), and improving communication between remediation teams (40 percent).

"Organizations are finally realizing that the compliance checklist mentality is not enough when it comes to vulnerability management, and that it is essentially worthless when it comes to actual remediation," noted Arnold Felberbaum, strategic advisor to NopSec, former CISO, and adjunct professor in Information Security at NYU Tandon School of Engineering, who also contributed to the survey. "Properly prioritizing vulnerabilities and working across teams to rapidly remediate the top threats is the only way we can close the gap and keep up with the onslaught of cyber attacks."

Download the infographic or register for the webinar on November 17th at 2:00 pm ET to learn more. 

NopSec provides vulnerability risk management and remediation workflow solutions to help businesses protect their IT environments from security breaches. The company's flagship product, Unified VRM, is based on a flexible SaaS architecture that provides intelligent context to vulnerability data, enabling security teams to visually forecast threat risk to dramatically reduce the turnaround time between identification and remediation of critical security vulnerabilities across infrastructure and applications. NopSec has been recognized as one of the 20 Most Promising Enterprise Security Companies of 2015 by CIO Review and named to CRN's list of Emerging Security Vendors for four consecutive years. NopSec is based in New York, NY. For more information, please visit

Contact Information:

Media Contact:
Kim Pegnato
PR for NopSec