Report reveals critical role of cybersecurity practices and SLAs in vulnerability management

75% of US and UK firms fail to respond to critical vulnerabilities within 24 hours.

  • Friday, 12th July 2024 Posted 4 months ago in by Phil Alsop

Intigriti has published Sharpening SLAs for Vulnerability Management, a new report highlighting the need for strong cybersecurity practices and service-level agreements (SLAs) for vulnerability management. This report combines qualitative and quantitative research, featuring insights from 250 infosecurity professionals—including CIOs, CTOs, security analysts, and engineers—across 12 industries in the UK and the US.

The UK demonstrates a more rapid response and remediation rate for critical vulnerabilities, suggesting a more proactive and efficient approach to cybersecurity threats. Conversely, the US excels in automation, vendor collaboration, and conducting thorough cost-benefit analyses, indicating a more strategic and comprehensive approach.

Key findings include:

Vulnerability management challenges and regional differences

Initial acknowledgment: Globally, 75% of businesses fail to respond to critical vulnerabilities within 24 hours—consequences could include customer dissatisfaction, loss of business, and reputational damage

In the UK, 29% respond within 24 hours compared to 20% in the US

Mitigation: More UK respondents (82%) aim to resolve a critical to exceptional vulnerability within 15 days compared to the US (69%)—a promising start, but more organisations should aim for this target

Disclosure: The UK is also faster at disclosure, with 73% disclosing a vulnerability within 15 days versus 66% in the US

Stakeholder consultation when assessing critical vulnerabilities

Over half (52%) of companies skip consulting their executive leadership when facing critical vulnerabilities, and only 44% involve legal and risk management teams. This oversight is concerning, as regulatory bodies must be informed about such vulnerabilities.

Additionally, 36% don’t consult IT infrastructure teams, missing out on the expertise of network engineers, system administrators, and application developers. These professionals could help speed up the mitigation process, as they may have written the code from which the vulnerability arose.

Supply chain relationships and cost-benefit tracking

43% of organisations fail to conduct regular cost-benefit analyses to weigh up vulnerability remediation expenses against the costs of a data breach. The US outperforms the UK in this area, with 65% of organisations conducting analysis regularly (i.e. annually) compared to 47% in the UK. Such analysis is crucial for ensuring safety and justifying cybersecurity investments.

There are also big reporting gaps: two-thirds (66%) of US respondents automate tracking and reporting on compliance with disclosure SLAs for contracted vendors, compared to just 32% in the UK. Nearly half (49%) of UK respondents rely on manual reporting.

Building trust with transparency

More positively, 88% of respondents share SLAs—66% with external stakeholders. The remaining 12% cite compliance concerns (6%), minimizing PR issues (5%), and withholding knowledge from competitors (4%) as reasons not to share SLAs. Taking a more proactive cybersecurity stance is itself a competitive advantage and fosters trust with customers and new business prospects, so these fears are misguided.

Commenting on this news, Stijn Jans—CEO and Founder at Intigriti—said: “At Intigriti, we understand the immense pressure on cybersecurity leaders to defend against a rapidly evolving threat landscape with limited resources. Still, failing to plan is planning to fail, which is why SLAs are so crucial for protecting against cyber threats. Our report provides clear and actionable standards for performance and accountability, giving businesses a competitive edge in the process. By equipping security teams with tools and knowledge, we can turn vulnerabilities into victories. Collectively, we can ensure a safer digital future for all—but there’s no time left to waste.”

Thankfully, cybersecurity budgets are increasing, with Gartner predicting a 14.3% rise in global security and risk management spending—reflecting the need to address expanding attack surfaces and comply with new regulations. As well as new research, the report outlines the diary of a disclosure, illustrating the journey to an effective response. Key takeaways include:

More urgency is needed for the initial response to vulnerability reports

Structured and measurable actions are vital for protecting against evolving cyber threats

Ethical hackers can help security teams detect vulnerabilities faster

Protective measures against cyber criminals must be equally dynamic and robust 

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 5 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 5 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 5 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 5 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 5 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.