The State of Vulnerability Management Policy

Mechelle Johnson Cobb May 19, 2015

Security policy: the time-consuming and usually frustrating process of mapping an organization’s goals and risk tolerance to a set of governing security practices and controls; typically viewed as a necessary evil for a mature security organization. But taking the time to codify and follow a formal security policy has its benefits. In a recent Skybox survey of nearly 1000 IT security professionals, we saw a direct correlation between organizations that have a formal vulnerability management policy and satisfaction with the results of their vulnerability management programs.

For a comprehensive analysis of survey findings, download the 2015 Enterprise Vulnerability Management Trends Report.

Respondents of the 2015 Enterprise Vulnerability Management Trends Survey represent a variety of industries, organization sizes, and IT roles from businesses and government organizations around the world. Survey results revealed several insights to challenges and trends within vulnerability management. But the role of formalized policy—one that provides documented and audited methodology for vulnerability assessment (scanning), analysis, prioritization, and remediation—stood out as a clear indicator of a means to improve program satisfaction.

  • I Can’t Get No Satisfaction … without formal vulnerability management policy

Mick Jagger may not have been talking security—but the words are true nonetheless. Respondents who perform vulnerability management tasks without having a formal policy in place were much more likely to “get no satisfaction” from their vulnerability management programs.  Only 14 percent of those with no policy (activities performed on an ad-hoc basis) were satisfied, and 38 percent of those with an informal policy (activities routine but not well defined or monitored) reported satisfaction. Compare that to respondents working with a formal policy who reported the highest level of program satisfaction at 67 percent.
VM policy + satisfaction

  • Who’s Harnessing the Power of Policy?

Having a formal policy in place is a good indicator of a mature vulnerability management program, yet only 50 percent of all enterprise organizations (more than 500 employees) have formal vulnerability management policy in place. That figure rose to 63 percent for “supersized” enterprises (more than 5,000 employees).
VM policy + enterprise size

  • Policy from Assessment to Remediation

Survey respondents indicated the importance of formal policy as related to program satisfaction through all stages of the vulnerability management process, from vulnerability assessment, to analysis and prioritization, and finally remediation.

Notably, the biggest gap in satisfaction lies in vulnerability assessment (scanning) capabilities: 67 percent satisfaction reported for those with formal policy vs. 33 percent for those with informal or no policy.

VM policy maturing + satisfaction

  • You Can’t Always Get What You Want … without laying the proper foundation first

If you’re not on board with the need for formal policy yet, you should be. Written, monitored, and consistent policy is a surefire way to build a solid foundation for a vulnerability management program unique to your organization, resources, and challenges.

While developing formal policy carries the attractive price tag of zero dollars, it does of course require an investment of time. But for managers hesitant to take any time away from security firefighting, consider how policy can help create a proactive, integrated security program for efficient and effective daily tasks. Benefits of consistent practices include:

  • Increased cost savings through efficiency and prioritization
  • Reduced business risks with set processes to maintain daily operations and respond to emerging threats in real time
  • Improved processes to drive down business disruption
  • Better communication between teams to improve response time and avoid security gaps


For detailed insight to vulnerability management on an enterprise scale, check out Gartner’s Vulnerability Assessment Technology and Vulnerability Management Practices. And for optimizing your vulnerability management policy beyond scanning, put on your favorite Rolling Stones album, and download Skybox’s Best Practices for Vulnerability Management.

Michelle Johnson Cobb is a technology marketing leader with a passion for driving success for emerging products. Prior to Skybox Security, Cobb held executive marketing roles in computer security, networking, and enterprise software companies, including McAfee, Tumbleweed Communications, and several startups. Cobb received her MBA with high distinction from the University of Michigan Ross School of Business and a Bachelor of Science in Computer Science also from the University of Michigan.

Recent Posts

Functional silos create dysfunctional OT security
Read More
What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More