What is the vulnerability remediation timeline you have adopted for CVSS >= 7.0 vulnerabilities which are only exposed to your Intranet users (not Internet)?

Security & GRCThreat & Vulnerability Management

Between 6-12 months16%

Between 3-6 months27%

Between 2-3 months17%

Between 1-2 months15%

Between 2 weeks to 1 month12%

Between 1-2 weeks4%

Between 0-1 week6%


903 PARTICIPANTS
3k views3 Upvotes3 Comments
Senior Security and Compliance Auditor in Software, 1,001 - 5,000 employees
7.0 hits my High rating (Medium tops off at 6.9) so it would need to be fully resolved within 30 days (Medium 60 days).  I use the CVSS score as a starting point and then score to my organization so it may lower/raise the score based on a number of risk factors, including Intranet only.
1
CTO in Software, Self-employed
CVSS is a great start, but it lacks context. Here's a few questions to start with evaluating the remediation timeline:

1. Who has access to this vulnerable System? 3rd Party/Contractors? Everyone in The Company? A few Employees?

2. Is accessing the System requires going through VPN or MFA? Is there an audit trail?

3. Are there any Security Controllers deployed before one gets an access this System?

4. Are there any Security Controllers deployed on the System, in case it gets comprised?

5. Is this System contains sensitive data? Can Data be leaked from it?

Validating those points (and more), will help establish a more realistic, breach-oriented approach to the problem at hand.
6
CIO in Finance (non-banking), 51 - 200 employees
Cvss is inadequate. I suggest focus on exploitable vulnerabilities and having capacity to remediate new vulnerabilities that show up in the wild. Monitor aging of exploitables and keep those under 60 days.
1

Content you might like

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & LeadershipStrategy & ArchitectureCloud+57 more
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
142 19 Replies
Read More Comments
40.6k views131 Upvotes319 Comments

Companies that haven’t yet explored cybersecurity mesh architecture (CSMA) are in danger of falling behind.

Security Strategy & RoadmapRisk ManagementThreat & Vulnerability Management

Strongly agree3%

Agree63%

Neutral21%

Disagree10%

Strongly disagree0%

Unsure1%


413 PARTICIPANTS
850 views

Is NSX micro segmentation a requirement for your Datacenter

Data CenterInfrastructureStrategy & Architecture+1 more

Yes73%

No27%


15 PARTICIPANTS
81 views

Does the risk of Ransomware and malware propagation bother you? Is IoT security a top of mind for you? To protect against many risks, we have witnessed success of micro-segmentation in the data center. Would you be willing to deploy similar solution for the campus? I am very curious to get your feedback?

Security & GRCThreat & Vulnerability Management
Read More Comments
2.6k views5 Upvotes5 Comments

Any recommendations on OT security product? I tried pushing Crowdstrike but it wasn't approved by OEMs. Other two are Claroty and Nozomi. Any feedback either on above two or any other as per your experience?

Security & GRCStrategy & Architecture
Read More Comments
1.8k views1 Upvote2 Comments