The purpose of this study, sponsored by X-Force Red, IBM Security’s team of hackers, is to understand the security challenges organizations face across their on-premises and cloud-based vulnerability management programs.
In April 2020, the Ponemon Institute conducted a global survey of 1,848 IT and IT security professionals. Most of the respondents work in enterprise organizations with at least 1000 employees across a variety of industries. Here are the highlights:
The real risk to organizations is that just one unpatched vulnerability can result in a costly data breach or other security exploit. As shown in this research, an average of 779,935 individual vulnerabilities are identified when running scans. Over the course of six months, an average of 28 percent of these vulnerabilities remain unmitigated. Organizations in this research have an average backlog of 57,555 identified vulnerabilities.
Prioritization and remediation management are critical to an effective vulnerability management program. However, as shown in this research, organizations have difficulty in identifying, prioritizing and patching in a timely manner those vulnerabilities that pose the most risk. As a consequence, organizations face the threat of a criminal compromise.
The Ponemon Institute surveyed 1,848 IT and IT security professionals in the following regions about vulnerability: North America, EMEA, Asia-Pac and Latin America. In this report, we present the consolidated global findings.
Most respondents are responsible for securing systems (60 percent), patching vulnerabilities (53 percent), evaluating vendors (38 percent) and setting priorities (38 percent). All organizations represented in this study use the following cloud services: SaaS (58 percent), PaaS (41 percent) and IaaS (47 percent).
In this section, we present an analysis of the key findings. The complete audited findings are presented in the Appendix of this report. The findings are organized by the following themes:
- Patching is too little, too late
- Problems with current remediation management practices
- Vulnerability management in the cloud vs. on-premises
- Container security challenges
- Conclusion: The X-Force Red Point of View
Download the report to find out more.