Issue 2

Take a Risk-Based Approach to Vulnerability Management

Learn How to Focus Efforts on the Vulnerabilities That Matter Most

Karim Toubba


The average enterprise has 39 million vulnerabilities, with dozens of new ones discovered every day. But these same organizations have limited resources with which to remediate those vulnerabilities. Fortunately, not all vulnerabilities present the same potential risk to the business.

Some vulnerabilities will never be exploited. Some are on systems or in applications that aren’t mission critical. But a smaller, yet meaningful percentage of a firm’s overall vulnerabilities do present a significant potential risk to the business. Risk-based vulnerability management gives organizations a way to quickly identify their high-risk vulnerabilities so security, IT, and development teams can prioritize remediation efforts appropriately.

According to Gartner, “By 2022, organizations that use the risk-based vulnerability management method will suffer 80% less breaches.” [Gartner, Inc., Implement a Risk-Based Approach to Vulnerability Management, Prateek Bhajanka, Craig Lawson, August 21, 2018.]

A risk-based approach helps ensure that the right vulnerabilities are addressed at the right time. After all, no organization can afford to dedicate valuable resources to remediating vulnerabilities that pose little or no threat, and the opportunity cost of not fixing the right vulnerability can be staggering. With a risk-centric strategy, organizations can efficiently focus their security, IT, and development resources and align processes on addressing the critical vulnerabilities that pose the greatest risk to their business. Read More

Karim Toubba, CEO of Kenna Security

Implement a Risk-Based Approach to Vulnerability Management

  • Prateek Bhajanka, Craig Lawson
  • 21 August 2018

A vulnerability is only as bad as the threat exploiting it and the impact on the organization. Security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness. [...]

Market Guide for Vulnerability Assessment

  • Craig Lawson, Prateek Bhajanka
  • 19 June 2018

The VA market is mature, but is being challenged by the need to cover changing device demographics and emerging technologies and better represent true risk. Security and risk management leaders who need VA solutions should use this research to evaluate vendors and improve their security programs. [...]

Kenna Security Content

Prioritization to Prediction: Winning the Remediation Race

Research conducted by Kenna Security and the Cyentia Institute demonstrates how quickly and how many vulnerabilities a given organization can handle. This research shows that the playbook for patching vulnerabilities varies widely depending on the industry and complexity of an organization. [...]

How To Manage Vulnerabilities Based on Risk, Rather Than Popularity

Given the potential stakes for not fixing the right vulnerability and succumbing to a data breach, it’s easy to get caught up in just fixing the vulnerabilities associated with the latest high-profile attack. Sometimes it is called for, sometimes it is not. Here are the four key factors to consider when identifying and prioritizing vulnerabilities. [...]