Vulnerability management mistakes CISOs still make

These common missteps and misconceptions may be keeping your vulnerability management from being the best it can be.

Case Studies

Multiple breaches, including the massive 2017 data breach at the credit reporting agency Equifax, have been traced back to unpatched vulnerabilities—a 2019 Tripwire study found that 27% of all breaches were caused by unpatched vulnerabilities, while a 2018 Ponemon study put the number at a jaw-dropping 60%.

That shouldn’t surprise anyone in the security space: The number of vulnerabilities identified each year has gone up annually for the past several years.

At the same time security teams have been stretched thin as they’ve been extra busy enabling secure remote work and addressing other pandemic-related needs all while dealing with a staffing crunch.

As a result, improving the vulnerability management program is not always a top priority.

Yet veteran security chiefs say they see common mistakes and missteps that can and should be addressed to strengthen these programs. Here are 10 mistakes they say CISOs still frequently make:

1. Failing to get executive backing

The work required for a good vulnerability management program extends well beyond the security team. Risk decisions require executive input, patching takes IT expertise, and scheduled downtime for updates impacts multiple business functions.

Consequently, CISOs need buy-in from multiple players in the organization to do this task well, and they’re more likely to get that buy-in when they have support for those efforts from the senior-most leaders within the enterprise, says Michael Gray, CTO of managed services provider Thrive. (continues at

Scroll to Top