New Kenna Security research shows top factors that make companies faster, more efficient in patching vulnerabilities

Study finds companies using the Common Vulnerability Scoring System (CVSS) slower in patching high-risk vulnerabilities


Ed Bellis, CTO at Kenna Security
“This research shows what companies with high-performing vulnerability management programs are doing right. One factor stands above all others: Companies that orient their programs around real-world threat information perform better than those that don’t. The report also shows that compliance-based prioritization and CVSS standards for threat scoring negatively impact the ability to identify and patch the threats that matter most.”

News Summary

Kenna Security, a leader in predictive cyber risk, today released a new report showing how companies can build faster, more efficient, and more comprehensive cybersecurity programs based on a detailed look at the practices of high-performing companies.

The research demonstrates that companies most effectively managing security vulnerabilities report using a patch tool, relying on risk-based prioritization tools, and having multiple, specialized remediation teams that focus on specific sectors of a technology stack.

Companies that said they had a mature, well-funded vulnerability management programs were more likely to patch vulnerabilities faster, but that did not necessarily mean the companies patched the riskiest vulnerabilities first. Having adequate security budgets correlated with an ability to patch security threats quickly but did not translate into having a higher capacity to remediate vulnerabilities.

Some internal factors tended to reduce performance. Companies that used the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities for remediation tended to be slower in patching high-risk vulnerabilities. The companies focused on compliance tended to struggle to patch all high-risk vulnerabilities across their organization.

Produced in conjunction with the Cyentia Institute, the fourth volume of Kenna’s Prioritization to Prediction series, uses survey data and standardized metrics to explore how high-performing companies achieve success. The report uses data from the Kenna Security Platform and survey responses to conduct a granular, in-depth analysis of the behavior and associated security outcomes of more than 100 organizations.

The research builds on three previous installments of the series, which have analyzed how hundreds of companies have addresses 300 billion vulnerabilities using risk-based remediation practices. The previous installment provided in-depth analysis of remediation practices at major companies, showing that most companies only have, on average, the capacity to remediate one out of every 10 vulnerabilities, and that half of all companies end each day facing more high-risk cybersecurity vulnerabilities than they started with.

Supporting Quotes

Jay Jacobs, data scientist, co-founder and partner, Cyentia Institute
“Over the past year, this series has given readers a unique view into the benchmarks of success in the vulnerability management space, a key practice on the frontlines of cybersecurity. Now, we’ve examined the choices that companies make - their budgets, their priorities, and their organizational structure - to achieve those results.”

Additional Resources

Cyentia Institute
The Cyentia Institute is a Virginia-based research services firm that exists to advance cybersecurity knowledge and practice through use-inspired, data-driven research. Cyentia curates and publishes research for the community, partners with other organizations to create compelling publications and helps enterprises turn complex security data into confident strategic decisions.

About Kenna Security
Kenna Security is a leader in predictive cyber risk. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. Kenna leverages Cyber Risk Context Technology™ to track and predict real-world exploitations, focusing security teams on what matters most. Headquartered in San Francisco, Kenna counts among its customers many Fortune 100 companies, and serves nearly every major vertical.

Media & Analyst Contact: 
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 610-228-2123