Costs and Consequences of Gaps in Vulnerability Response

Ponemon Institute is pleased to present the findings of the second study on vulnerability and patch management. As shown in this research, the severity and volume of cyberattacks is increasing. However, most organizations are not comparably enhancing their abilities to prevent hackers from exploiting attack vectors. In fact, it’s taking longer to detect and longer to patch critical vulnerabilities than last year. The cost and consequences of this failure are myriad. Thirty-nine percent of respondents say their organizations were aware that actual breaches were linked to known vulnerabilities, an increase from 34 respondents in last year’s study. This indicates that more focus should be paid to vulnerability response for businesscritical assets. On the upside, organizations that are using automation are getting better at patching.

With sponsorship from ServiceNow, Ponemon Institute surveyed almost 3,000 IT security professionals in the United States, United Kingdom, Germany, France, Netherlands, Australia/New Zealand, Singapore and Japan to understand how organizations are responding to vulnerabilities. In this report, we present the consolidated findings and comparisons to the 2018 study.

According to the findings, organizations seem to be keeping to the status quo in their approaches to patching. As a consequence, they are not achieving significant improvements in their ability to quickly detect and patch vulnerabilities and keep ahead of the attackers. Respondents were asked to rate their organizations’ ability to quickly detect vulnerabilities, prevent threats and patch vulnerabilities in a timely manner on a scale from 1 = low ability to 10 = high ability. This year, 50 percent of respondents rate their detection capabilities as very high and only 44 percent say they have a high ability to patch in a timely manner, a very slight increase from last year’s research.