A new report from Zafran Security shows that enterprise risk management is shifting from volume to value, and from patching everything to fixing what matters most.
The study, carried out by Foundry MarketPulse, reveals that only one in 50,000 vulnerabilities actually pose a critical risk — and the ones getting exploited the most are often old, quiet, and ignored.
Nearly three-quarters of respondents (73 percent) consider it highly important for vulnerability management solutions to prioritize risk using IT context, but 81 percent say there are challenges in that process.
Improving risk prioritization is the number one reason 45 percent cite for adopting a new vulnerability management solution, followed by: enhancing visibility into real-time vulnerability exposure and risk levels — 44 percent, and expediting the remediation of vulnerabilities with the highest business impact — 40 percent.
“Far too often, organizations default to prioritizing vulnerability patching based solely on CVSS scores, which can create a misleading sense of security,” says Nate Rollings, field CISO at Zafran. “To truly reduce risk, it’s critical to shift toward a modern, risk-based approach that accounts for real-world exploitability, threat intelligence, and existing compensating controls — foundations of smarter exposure management.”
When asked about assessing risk, decision-makers say they most frequently prioritize based on the internet reachability of an asset at risk (62 percent), threat intelligence indicating active exploitation (58 percent), and the business criticality of the IT asset (55 percent).
However, when asked about how they rate which vulnerabilities they see as most severe, 59 percent look at whether risk mitigation measures are in place from security defenses, 55 percent he business criticality of an IT asset at risk, 52 percent the reachability of an IT asset at risk from the internet, 48 percent regulatory compliance requirements, and 46 percent threat intelligence, or a known associated threat actor group.
Enterprises are keen to find new solutions though, 84 percent of organizations say they are increasing their vulnerability management budgets, while 95 percent say they are likely or very likely to adopt a new vulnerability or exposure management platform in the next 12 months.
You can get the full State of Threat Exposure Management 2025 report from the Zafran site.
Image Credit: Nicoelnino/Dreamstime.com
#Enterprises #change #manage #cyber #risk
