Balbix Inc.,
provider of the security industry's first system built for avoiding breaches,
today released a report based on Ponemon
Institute research evaluating the state of vulnerability and risk
management in enterprise environments. Ponemon surveyed 600+ cybersecurity
leaders and professionals involved in the evaluation, selection and/or
implementation of IT security solutions. The results reveal that the vast
majority of organizations are not confident in their ability to avoid major
data breaches like Equifax or Marriott, and are specifically struggling with
vulnerability management to avoid breaches through unseen or unpatched systems.
"From this research, it is clear that most enterprises recognize
not only are they under-resourced in finding and managing their
vulnerabilities, but they also have gaps around assessing the risk and getting
full visibility across their IT assets," said Larry Ponemon, founder and
chairman of Ponemon Institute, "which no doubt led to that low confidence vote
in their ability to avoid a data breach."
According to the findings, too many organizations are
struggling to maintain adequate cybersecurity posture and avoid breaches.
A key challenge noted is an inability to keep up with basic software
vulnerability mitigation and patching - a fundamental but key component of
security posture. Key data points include:
- 68% feel that staffing
is not adequate for a strong cybersecurity posture
- Only 15% say their
patching efforts are highly effective
The low levels of confidence found in the research is in
large part because security teams cannot properly resource the management of
vulnerabilities - both identifying and patching. This situation has become
acute in vulnerability management because of the sheer volume of alerts for
unpatched systems:
- 67% feel they do not
have the time and resources to mitigate all vulnerabilities in order to
avoid a data breach
- 63% say "inability to
act on the large number of resulting alerts and actions" is problematic
The result of this mismatch between alert volumes and
limited resourcing is postponed patching, no prioritization of actions and a
resulting weaker cybersecurity posture:
- 69% scan just 1x/month
or even less frequently
- 49% scan only quarterly
or on ad hoc basis
- 49% said their
organization does complete up-to-date patching
When asked how they would like the industry to improve and
innovate in vulnerability and risk management, respondents - especially those
rated as "high performing organizations" - consistently cited requests for
these additional capabilities not found in traditional solutions:
- Automatically discover
unmanaged assets (70%)
- Analyze vulnerabilities
in IoT, BYOD and third-party systems (64%)
- Analyze both unpatched
systems and other attack vectors (60%)
- Receive a risk-based and
prioritized list of actions (56%)
- Receive prescriptive
fixes per recommended action (52%)
"We are not surprised by these findings from Ponemon
Institute's research," said Gaurav Banga, founder and CEO of Balbix. "While
respondents' confidence levels in their ability to avoid a breach is obviously
troubling, it is clear that most understand the reasons why -- alert volume,
limited team resources, lack of visibility across assets, and very limited
contextual risk. On the positive side, respondents cite a clear list of
capabilities that can help them better see and manage their vulnerabilities,
which will eventually improve their overall security posture."
To see this Ponemon research data, download
Balbix's report "Challenging State of Vulnerability Management Today," here:
https://www.balbix.com/resources/ponemon-report-on-vulnerability-management/