Top vulnerability management challenges for organizations

Organizations understand vulnerability management is essential to identifying cyber-risks, but coordinating teams, tools and handling CVEs keeps the pressure on.

Many organizations struggle with collaboration, tools integration, keeping up with vulnerability volume and prioritizing remediation actions. Time is not on their side.

NIST defines a vulnerability as "weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source."

A typical enterprise organization could have hundreds of thousands, or even millions of information systems -- including endpoint devices, network configurations, digital identities, lines of code, APIs, cloud-based workloads and more. Given human behavior and the foibles of software, it's safe to assume large organizations have thousands of vulnerabilities at any one time. Some of these vulnerabilities aren't worth bothering with, while exploiting others could give cyberadversaries the keys to the kingdom.

Monitoring, identifying, analyzing and prioritizing vulnerabilities is the foundation of a cybersecurity program and has been for years. Regulators get this, as many government and industry regulations mandate strong vulnerability management. CISOs also understand this, heading up vulnerability management efforts and tracking results. Executives and corporate boards understand this too. CISOs are often asked to present the latest vulnerability status to the board on a quarterly basis.

Given human behavior and the foibles of software, it's safe to assume large organizations have thousands of vulnerabilities at any one time.

Everyone seems to understand just how important vulnerability management is for identifying and mitigating cyber-risks to the business. Unfortunately, this recognition doesn't translate into Swiss clock precision. Vulnerability management continues to be fraught with challenges, according to soon-to-be-published research from TechTarget's Enterprise Strategy Group.

The following are some of the top challenges respondents cited.

1. Coordinating vulnerability management across different teams

The general division of labor is that security teams perform vulnerability scans, analysis and prioritization, while other teams -- i.e., IT operations, software development, DevOps, etc. -- remediate vulnerabilities by changing configuration settings, altering user entitlements, fixing software bugs or applying software patches. Different groups have different goals, priorities and compensation models, so coordination across these groups requires hands-on leadership from the top. Otherwise, the term "herding cats" comes to mind.

2. Coordinating vulnerability management processes across different tools

Of course, different groups use different tools and technologies. Cloud developers and operations teams likely use cloud security posture management tools from vendors that include Orca Security, Palo Alto Networks, Trend Micro and Wiz; software developers manage projects with Jira; IT operations teams use ServiceNow; and different organizations communicate internally using Slack and Teams.

The security team itself uses a variety of tools -- including attack surface management, endpoint detection and response and cyberthreat intelligence -- as part of the vulnerability management process. Collecting, processing and analyzing data from all these systems can be difficult, and once this is done, technologies must be integrated for synchronized vulnerability remediation and risk mitigation. Unfortunately, many organizations still rely on glue and spreadsheets.

3. Keeping up with the volume of open vulnerabilities

As previously mentioned, large enterprises have thousands of open CVEs at any time, and the status of these CVEs changes all the time. Organizations are often overwhelmed by this task. Many employ a "crown jewel" strategy by focusing their efforts on monitoring, identifying and remediating vulnerabilities on their most critical business systems. That's a good idea in principle, but what about all of the systems connected to the most critical systems, and the assets that connect to the systems connected to the most critical systems? Obviously, this quickly this becomes extremely complex.

4. Understanding asset exploitability, exposure and impact on critical systems in an environment

This is a prominent example this year, as my friends at Gartner have dubbed this process threat exposure management. Think of it this way: A subset of all CVEs have been exploited or are actively being exploited at any time. It is incumbent upon security staff to know which CVEs are at risk and if they are present on critical business systems or assets with direct and legitimate access to these systems. Sound confusing? It is.

5. Determining which vulnerabilities to prioritize for remediation

Assuming an organization works through the intersection between vulnerabilities and exploits, it must decide which ones present the biggest risk to the business, create a prioritization list, then work with other groups on remediation. Many organizations create vulnerability classes such as critical, high, medium, low and informational, but these categories are often subjective, and vulnerabilities can change categories over time. Again, group dynamics come into play as well.

Organizations can certainly improve their vulnerability management processes through best practices. The SANS Vulnerability Management Maturity Model provides a good recipe for doing so. Still, the complexity, details and cooperative processes necessary continue to challenge many firms. Facing an ever-growing attack surface and voluminous threats, optimizing vulnerability management should be a top priority for all CISOs.

Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Dig Deeper on Risk management