Oh, the torture of not having a strong risk-based vulnerability management solution in place.
You know what I’m talking about. Relying on ineffective and unmanageable CVSS, homegrown scoring systems, vendor scoring, or a mixture of those options to help you try to prioritize the mountain of vulnerabilities in your environment. It leads to a lot of headaches and not a lot of progress to show.
Even more, it negatively impacts the working relationship between Security and IT, especially when one team is passing over a laundry list of vulnerabilities to the other with minimal context and understanding of business impact.
But it doesn’t have to be this way. Cisco Vulnerability Management (formerly Kenna.VM) takes a risk-based approach to vulnerability prioritization that is fueled by data science, enabling Security and IT teams to focus their limited resources on real risk and remediate more efficiently.
Forrester interviewed five Cisco Vulnerability Management customers (Figure 1) and formed a composite organization based on their characteristics to analyze the financial and operational impacts of Cisco Vulnerability Management. The composite organization is a global organization with $10 billion in annual revenue, 100,000 assets covered by Cisco Vulnerability Management, and 10 security analyst FTEs.
The study uncovered that, after adopting Cisco Vulnerability Management, customers transform their vulnerability management programs by streamlining their security and IT operational efficiency and reducing the likelihood of data breaches.
Let’s dig into the findings.
20% Reduction in Risk of Breach
Breaches. No one likes them, but they exist. Forrester found that Cisco Vulnerability Management reduced the risk of breach by helping the composite organization’s security and IT operation teams prioritize their efforts and focus on the most critical vulnerabilities. In doing so, these teams reduce the time it takes to remediate vulnerabilities and implement automation to proactively address potential security issues. Over three years, the composite organization reduces the risk of breach by 20%, with savings worth $1.5 million.
A senior manager of enterprise vulnerability management in entertainment and media explains, “When you’ve got 100 things to look at and they are all critical, nothing is critical. With [Cisco Vulnerability Management], we are able to say, ‘No, focus on these 10 to 15 things, not 100.’”
12% Increase in Security Analyst Efficiency
With Cisco Vulnerability Management, security analysts focus on the most critical vulnerabilities, optimize how they allocate resources to manage vulnerabilities, and better communicate the importance to their IT teams and leadership. As a result of these benefits, security analysts for the composite organization increase their productivity by 12%, worth about $276,000 over three years.
As stated by the global head of cyber vulnerability management in a financial services organization, “The benefit is not just about reducing [vulnerability] volume, it’s about shifting attention to what really needs to be focused on. The business also understands the criticality and is pushing those remediations. [Cisco Vulnerability Management] helped us improve maturity, reduce risk, and help focus on what’s important.”
Additionally, security teams experience stronger cross-functional communication and collaboration with their IT and leadership teams when using Cisco Vulnerability Management.
“We’ve seen about 14 hours a day of time savings spread out amongst the whole team after you factor in all the back-and-forth explanations through emails, meetings, and leadership briefs,” says senior manager of enterprise vulnerability management, entertainment and media. “Now, we just point people to a dashboard that leverages the vulnerability intelligence from [Cisco Vulnerability Management].”
7,800 Hours Saved Annually by IT Operations
Oftentimes, Security and IT teams are faced with competing priorities. And when not a lot of context is being shared with IT that explains why certain fixes are needed, remediation can slow down.
The Forrester TEI reports that Cisco Vulnerability Management helps the composite organization’s IT teams prioritize the most critical vulnerabilities, saving them time in remediation. Cross-team collaboration between security and IT groups improves, which streamlines operations and empowers IT resources to own more of the vulnerability management process. This saved IT Operations 7,800 hours annually and saved the composite organization $514,000 over three years.
The director of security surveillance and vulnerabilities management told Forrester: “Of the vulnerabilities that are [Cisco Vulnerability Management] related, [our remediation teams] spend at least half the time that they used to spend on vulnerability management. I’d say if they [previously] spent 15 to 20 minutes to understand the vulnerability, open the file, look for the target host, with [Cisco Vulnerability Management], they probably cut that time by half.”
More Benefits Beyond the Numbers
In addition to the quantified findings uncovered, the composite organization saw several unquantified benefits, including improved leadership visibility and communication, as well as improved collaboration between security and IT.
What’s more, Forrester also found that Cisco Vulnerability Management improved the employee experience by helping teams tie their efforts to business impact and reduce manual effort on tedious tasks. “The benefit is not just about reducing [vulnerability] volume, it’s about shifting attention to what really needs to be focused on. The business also understands the criticality and is pushing those remediations, says a global head of cyber vulnerability management in financial services. “[Cisco Vulnerability Management] helped us improve maturity, reduce risk, and help focus on what’s important.”
Forrester Proves Cisco Vulnerability Management’s Value with 125% ROI Over 3 Years
Forrester’s financial analysis of Cisco Vulnerability Management highlights savings of $2.32 million for the composite organization over a three-year period, and a 125% return on investment (ROI).
Cisco Vulnerability Management uses data science to take a risk-based approach to prioritization and it’s working. Customers today are no longer guessing where to focus their remediation efforts. They can easily identify the areas of significant risk and take action, leading to quicker time to value.