Different Approaches For Vulnerability PrioritizationRead Now
Feeling bogged down trying to remediate all the risk findings your security scanning tools discover? You’re not alone.
The “2023 State of Risk Remediation” report, new Dark Reading research commissioned by Seemplicity, surveyed 108 security professionals across companies with 100 or more employees to glean insight into their risk remediation process. The survey encompassed issues such as the number of security scanning tools companies use, how the security team figures out who should remediate a risk finding, and the obstacles and timelines within the organization’s remediation process.
The “2023 State of Risk Remediation” survey found that:
- It takes nearly 4 weeks to remediate each critical security risk from start to finish. A granular look at the end-to-end risk-reduction process shows remediation life cycles consistently measured in weeks, not days.
- The average organization manages 3 to 5 security tools, which adds complexity and slows down remediation. The data highlights that manual tasks and multiple feeds from disparate scanning tools conspire to drag down speed-to-remediation.
- 49% of security professionals don’t know who to contact to fix risks or verify fixes. Locating the correct “fixer,” getting a response to a remediation request, and verifying successful fixes are top time consumers for most organizations.
- 97% would focus on more meaningful activities, such as proactive security if remediation wasn’t so inefficient. If they weren’t bogged down with ad-hoc, manual and inefficient processes, respondents said they would be able to focus on actions to prevent incidents, such as additional architecture reviews, threat modeling, and security awareness training.
To analyze the most time-consuming aspects of remediation operations, the research broke down into steps the remediation operations process and saw how long it took to complete each step.
Using this approach, the research was able to identify the bottlenecks in the remediation process, and where automation should be introduced to not just accelerate remediation, but also to scale it, regardless of the number of security scanning tools.
Three key lessons emerged that organizations can act on now to improve risk reduction:
1 – Automate risk reduction workflows so valuable security resources can focus on strategic security initiatives.
Employing judicious automation technology at every point in the remediation process and across disparate scanning and management platforms frees teams to focus on more strategic security initiatives while also improving remediation efficiency and performance.
2 – Acknowledge that remediation has many moving parts.
Effective prioritization, along with the ability to aggregate congruent issues in a single remediation ticket, are key steps in making risk remediation manageable.
3 – Automate based on industry-proven approaches and knowledge.
An automated remediation workflow tasked with organizational risk reduction is only as good as the security expertise it’s built on.
Download the full research report “The 2023 State of Risk Reduction: A Need for Speed” here.