Five reasons to shift to risk-based vulnerability management

A survey conducted by Tenable and DSCI found that more than one-third of organisations in India still rely on legacy vulnerability management (VM) tools.

New Update
cyber security

Organisations in India face a multitude of cyber threats from every direction. In a recent Forrester study commissioned by Tenable, 97 percent of Indian organisations suffered at least one business-impacting cyberattack over the past 12 months. A majority of data breaches stem from unfixed, known vulnerabilities and a lack of basic security practices rather than advanced attacks. To put things into perspective, there were 17,313 new vulnerabilities disclosed in 2019 but attackers actually leveraged only a small subset of these for attacks.


As organisations in India continue to adopt cloud-based technologies to operate with a distributed workforce during this health crisis, security needs to be at the forefront. These new technologies mixed with traditional IT systems consist of data silos and outdated operational processes which makes scanning for vulnerabilities more complex. This is because legacy approaches weren’t designed to handle an attack surface of this size and complexity. As a result, organisations can completely miss high-risk vulnerabilities across their dynamic environments. A survey conducted by Tenable and Data Security Council of India (DSCI), found that more than one-third of organisations in India still rely on legacy vulnerability management (VM) tools.

To improve security in this expanded environment, organisations should take a risk-based approach to vulnerability management which enables security teams to focus on the vulnerabilities and assets that matter most while also deprioritising the vulnerabilities that are unlikely to be exploited. A 2019 study by McKinsey Consulting found that risk-based vulnerability management allows organisations a potential risk reduction of 7.5 times above their original program, at no added cost.  Here are five ways this is achieved.

Make decisions based on context


Correlate and analyse essential vulnerability characteristics along with other key contextual elements, including the criticality of the assets affected, threat and exploit intelligence. Have an assessment of current and likely future attacker activity. This helps organisations understand the actual risk posed by each vulnerability.

Focus on what matters most

Prioritising remediation efforts using the common vulnerability scoring system (CVSS) alone isn’t sufficient. This is because CVSS is limited to a theoretical view of the risk a vulnerability could potentially introduce and therefore categorises the majority of vulnerabilities as high or critical. CVSS doesn’t take into account whether the vulnerability is being exploited in the wild, or if the vulnerability impacts a business-critical service or system.


Risk-based vulnerability management helps organisations understand all vulnerabilities in the context of business risk so that data can be used to prioritise remediation efforts. The ability to do so empowers security teams to move beyond the inherent problems of using the common vulnerability scoring system (CVSS) in isolation. Instead, they can address true business risk as opposed to wasting valuable time chasing vulnerabilities that have a low likelihood of being exploited.

Eliminate blind spots

Assess modern assets as well as traditional on-premises IT environments to eliminate


the blind spots that plague legacy tools. By having visibility into the entire attack surface, security teams can determine which vulnerabilities to prioritise for remediation based on risk – regardless of where they reside in the network.

Be strategic and purposeful

Continuously discover and assess the risk associated with all business-critical assets across the attack surface and employ analytics that dynamically assesses changes in vulnerability, threat and asset criticality data.


The same survey results from Tenable and DSCI sheds light on the regularity of scanning conducted. At least 17 percent of organisations still do ad hoc scanning while most companies (44%) perform scans once a month. Limiting assessments to assets that fall within the audit scope can cause critical systems to be ignored.

Minimise disruptive events

Leverage machine learning and artificial intelligence to instantaneously digest feeds from various sources to build a picture of the enterprise that focuses on the business’ critical assets and the actual threat they face. These insights empower security teams to adjust their remediation strategy in near real-time. Proactively address the vulnerabilities that pose the most risk to the organisation while minimising disruptions from new vulnerabilities and zero-day exploits that gain media attention.

By Adam Palmer, Chief Cybersecurity Strategist, Tenable