Gartner Blog Network


We Scan and We Patch, but We Don’t Do Vulnerability Management

by Anton Chuvakin  |  May 14, 2018  |  Submit a Comment

Lately, we’ve been flooded with calls about vulnerability management (VM). Many of the calls seem to be from organizations of medium to low security operations maturity, that are just starting with vulnerability management [and that’s OK – a wise mentor once told me always remember that ‘90% of people are not in the top 10 percentile!’” :-)]

Many of them say something similar to we scan and we patch, but we don’t do vulnerability management.” Essentially, they are coming to a realization that I often like to summarize as “VA is easy, but VM is hard.”

Of course, we have a lot of excellent research written on this topic:

The first paper has a lot of juicy and usable VM advice for all levels of security maturity, and this post is a reminder about these great resources. However, I also want to ponder one specific bit.

Imagine the following situation:

You have… …and you can …to get …
1000 vulnerabilities fix all 1000 A WIN [but no organization is in this position, NONE, 0]
1000 vulnerabilities fix any 10 of them Nothing, since your overall risk posture is probably unchanged
1000 vulnerabilities fix any 100 of them Unknown and likely small risk reduction
1000 vulnerabilities fix some 900 of them Significant risk reduction, but very likely at a significant cost
1000 vulnerabilities fix 100 of them that are called CRITICAL (via CVSS, vendor, etc) Some risk reduction, for sure. But often not as much as expected
1000 vulnerabilities fix 100 of them that are of absolute highest risk to this organization I’d argue that there is a decent chance that this delivers the best risk reduction / cost!

Note that in no situation “JUST PATCH FASTER!” is the right advice! IMHO, most organizations should “patch smarter” (which really means “prioritize what to patch better”), because frankly most cannot patch faster.

The tough question is of course: how *EXACTLY* do we rank the vulnerabilities for maximum risk reduction for your particular organization at this time? We have seen many methods come and go, some effective, but onerous, some both ineffective and onerous, and some effective but unrealistic…. while some based on wishful thinking (read: AI) :-)

Past posts on vulnerability management:

Category: security  vulnerability-management  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio




Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.