Hackuity research: Rising CVEs stress security teams

Hackuity, the risk-based vulnerability management provider, released new research revealing the mounting pressure on security teams as they struggle to keep pace with the rising number of CVEs (Common Vulnerabilities and Exposures). 

The Vulnerability Management Report explores the challenges of vulnerability mafnagement and includes insights from 200 IT security decision-makers across the UK and APAC. 

Additional strain

As the number of CVEs continues to rise, nearly half (46%) of respondents say that the volume has placed additional strain on their security teams’ resources impacting not only organisational security but also staff wellbeing.

One in four, 26%, admit this pressure has contributed to a data breach, while more than a third, 36%, report it resulted in a regulatory fine. Over a third (36%) also say it has delayed incident response, and 33% report missed security alerts as a result. In terms of the human impact, 38% report that it has led to burnout within the team.  

Knock-on effect

Commenting on the findings, Sylvain Cortes VP Strategy at Hackuity said: “We know that teams are feeling the pressure right now - but what’s most concerning is the knock-on effect this is having on organisations and on the team’s well-being.”

“From missed alerts to fines, there are real consequences at play when vulnerabilities aren’t managed in a way that’s making the best use of team’s time and expertise. The nonstop flood of alerts isn’t just stressful, it’s costly.”

The ability to process and manage vulnerabilities has become ever more critical. Whilst most organisations, 77%, report that they have formalised vulnerability remediation processes in place for identifying vulnerabilities, only 36% have a risk-based approach as the primary method, where vulnerabilities are based on asset criticality‚ exploitability and business impact. 

Key findings

It also seems that there is more work to do in moving vulnerability management (VM) higher up the agenda as 60% of respondents reported that it does not receive the same focus as other IT security projects. 

Additional key findings from the report include:

• Critical Vulnerabilities take on average four weeks to remediate:  The mean time to remediation (MTTR) for critical vulnerabilities is four weeks, on average. However, one in five organisations (21%) report that it can take between one and three months to remediate critical vulnerabilities. 
• The barriers to VM: operational and budget constraints: Although respondents recognise the strain of vulnerability management, they are hindered by operational (43%) and budget (41%) constraints. The issue of staff and skills shortages also play a part with 29% of respondents citing lack of skills within the team and a quarter reporting that high staff turnover prevents them from making improvement to VM practices.

Sylvain Cortes continues: “Security leaders need to look at how they’re equipping their teams to make sure they can keep pace with the rising volume and complexity of vulnerabilities. Without context and intelligence around the alerts, they risk wasting valuable time and resources chasing down threats or missing alerts that could pose the greatest risk for their organisation.”