Ponemon Study on the Challenging State of Vulnerability Management

Press Release —

Ponemon Study: Only 1 in 3 Organizations Are Confident They Can Avoid Data Breaches

Report Commissioned by Balbix Reveals Challenging State of Enterprise Vulnerability Management, Evidenced by Delayed Patching in 69% and Inability to Act on Alerts in 63% of Organizations

SAN JOSE, Calif., — Balbix Inc., provider of the security industry’s first system built for avoiding breaches, today released a report based on Ponemon Institute research evaluating the state of vulnerability and risk management in enterprise environments. Ponemon surveyed 600+ cybersecurity leaders and professionals involved in the evaluation, selection and/or implementation of IT security solutions. The results reveal that the vast majority of organizations are not confident in their ability to avoid major data breaches like Equifax or Marriott, and are specifically struggling with vulnerability management to avoid breaches through unseen or unpatched systems.

“From this research, it is clear that most enterprises recognize not only are they under-resourced in finding and managing their vulnerabilities, but they also have gaps around assessing the risk and getting full visibility across their IT assets,” said Larry Ponemon, founder and chairman of Ponemon Institute, “which no doubt led to that low confidence vote in their ability to avoid a data breach.”

According to the findings, too many organizations are struggling to maintain adequate cybersecurity posture and avoid breaches. A key challenge noted is an inability to keep up with basic software vulnerability mitigation and patching – a fundamental but key component of security posture. Key data points include:

  • 68% feel that staffing is not adequate for a strong cybersecurity posture
  • Only 15% say their patching efforts are highly effective

The low levels of confidence found in the research is in large part because security teams cannot properly resource the management of vulnerabilities – both identifying and patching. This situation has become acute in vulnerability management because of the sheer volume of alerts for unpatched systems:

  • 67% feel they do not have the time and resources to mitigate all vulnerabilities in order to avoid a data breach
  • 63% say “inability to act on the large number of resulting alerts and actions” is problematic

The result of this mismatch between alert volumes and limited resourcing is postponed patching, no prioritization of actions and a resulting weaker cybersecurity posture:

  • 69% scan just 1x/month or even less frequently
  • 49% scan only quarterly or on ad hoc basis
  • 49% said their organization does complete up-to-date patching

When asked how they would like the industry to improve and innovate in vulnerability and risk management, respondents – especially those rated as “high performing organizations” – consistently cited requests for these additional capabilities not found in traditional solutions:

  • Automatically discover unmanaged assets (70%)
  • Analyze vulnerabilities in IoT, BYOD and third-party systems (64%)
  • Analyze both unpatched systems and other attack vectors (60%)
  • Receive a risk-based and prioritized list of actions (56%)
  • Receive prescriptive fixes per recommended action (52%)

“We are not surprised by these findings from Ponemon Institute’s research,” said Gaurav Banga, founder and CEO of Balbix. “While respondents’ confidence levels in their ability to avoid a breach is obviously troubling, it is clear that most understand the reasons why — alert volume, limited team resources, lack of visibility across assets, and very limited contextual risk. On the positive side, respondents cite a clear list of capabilities that can help them better see and manage their vulnerabilities, which will eventually improve their overall security posture.”

To see this Ponemon research data, download Balbix’s report “Challenging State of Vulnerability Management Today,” here: https://www.balbix.com/resources/ponemon-report-on-vulnerability-management/


Balbix commissioned the Ponemon Institute to survey over 600 cybersecurity professionals across 15+ vertical industries. 72% of respondents worked at companies with more than 1,000 employees.

About Balbix

The Balbix breach avoidance platform, BreachControl™, is the industry’s first system to leverage specialized artificial intelligence (AI) to provide comprehensive and continuous predictive assessment of breach risk. Visualized via a searchable and clickable risk heat-map, it is designed for CISOs, CIOs and IT security teams. BreachControl can forecast critical breach scenarios and prioritize/recommend fixes by business risk, improving security operations, compliance and cyber-resilience. Learn more at www.balbix.com<.

For more information, contact:

Kim Diesel
10Fold for Balbix