-- Not all vulnerabilities and threats need to be identified and tracked
-- just those that are relevant to the organization's IT assets.
-- Not all vulnerabilities and threats need to be addressed with the same
degree of urgency -- prioritization should be determined based on the level
of risk and the business value of the IT assets in question.
-- Not all remediation need to be based on deployment of software patches
or configuration updates (although these processes should be automated to a
much higher degree than that currently indicated by the research) --
compensating controls can also be considered in circumstances other than
those where no patches or updates are available.
"Aberdeen's research confirms that improving capabilities in assessing,
prioritizing, and remediating threats and vulnerabilities pays off in two
ways," said Derek E. Brink, vice president and research fellow for IT
Security, Aberdeen. "First, it reduces the costs inflicted by the flood of
new threats and vulnerabilities that emerge on a weekly basis. Second, it
reduces the total cost of Vulnerability Management, which frees up precious
resources to invest in more strategic IT initiatives."
Companies should also accept that Vulnerability Management is a
never-ending process, and that the cycle of "assess," "prioritize,"
"remediate" must be continuously repeated. Through better security
governance (allocation of limited IT resources) and risk management
(prioritization based on business value and the organization's appetite for
risk),
Best-in-Class performance in Vulnerability Management frees up limited IT
resources to invest in projects more directly tied to the "rewarded risks"
of innovation and strategic growth.
A complimentary copy of this report is made available due in part by the
following underwriters: Rapid7 LLC and Shavlik Technologies. To obtain a
complimentary copy of the report, visit:
http://www.aberdeen.com/link/sponsor.asp?spid=30410182&cid=5231.
End-user organizations who would like to participate in a related survey
for research on Unified Threat Management are encouraged to do so by
visiting http://www.aberdeen.com/survey.utm.
To access all of Aberdeen's complimentary research please visit
http://research.aberdeen.com.
About Aberdeen Group, a Harte-Hanks Company
Aberdeen is a leading provider of fact-based research and market
intelligence that delivers demonstrable results. Having benchmarked more
than 30,000 companies in the past two years, Aberdeen is uniquely
positioned to educate users to action: driving market awareness, creating
demand, enabling sales, and delivering meaningful return-on-investment
analysis. As the trusted advisor to the global technology markets,
corporations turn to Aberdeen™ for insights that drive decisions.
As a Harte-Hanks Company, Aberdeen plays a key role of putting content in
context for the global direct and targeted marketing company. Aberdeen's
analytical and independent view of the "customer optimization" process of
Harte-Hanks (Information - Opportunity - Insight - Engagement -
Interaction) extends the client value and accentuates the strategic role
Harte-Hanks brings to the market. For additional information, visit
Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more
about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com.
© 2008 AberdeenGroup, Inc., a Harte-Hanks Company 451 D Street, Suite 710 Boston, Massachusetts 02210-1928 Telephone: (617)854-5200 Fax: (617) 723-7897 www.aberdeen.com
Contact Information: Media Contact: Derek E. Brink Aberdeen Harte-Hanks (617) 854-5254 Derek.Brink@aberdeen.com