Netwrix Survey: 70% of Companies Invest in Vulnerability Assessment Primarily to Be Proactive Rather than to Ensure Compliance

Netwrix, a cybersecurity vendor that makes data security easy, asked 720 IT pros all over the world how they assess vulnerabilities in their IT infrastructure. The survey found that 70% of organizations have a vulnerability assessment tool, either deployed internally or provided as a third-party service. Most of those respondents (70%) said the primary reason for purchasing the tool was the need for proactive security measures; 76% of those who do not yet own a vulnerability assessment tool and plan to acquire one in the near future chose the same key driver – to be secure proactively.

The survey shows that continuous scanning for known vulnerabilities is a popular approach for proactively securing an IT environment. Technology teams implement these tools to proactively identify, prioritize and manage risks to the business. Only 8% of respondents who don’t own a solution say they do not require one. This shows that vulnerability management is widely considered a must-have.
Joe Dibley, Security Researcher at Netwrix

In the past several years, companies have become more security-focused, with widely-covered incidents like Colonial Pipeline and Solar Winds making the consequences of breaches more evident to everyone, not just the IT department. As a result, CISOs and CIOs have been able to secure approval for increases in their cybersecurity budgets. In the Gartner® 2021 CIO Agenda Survey, cybersecurity was the top priority for new spending, with 61% of the more than 2,000 CIOs surveyed increasing investment in cyber/information security this year.^[1]

Which of the following was the main reason your organization acquired a vulnerability assessment solution?

Which of the following is the main reason for your organization to consider purchasing a vulnerability assessment solution?

While budget is top of mind for 58% of respondents, more than half (52%) said they would consider changing to a new solution if it would reduce the volume of false positive alerts. Some respondents even left comments like, “will not sacrifice performance and accuracy for $$”.

Every false positive finding takes time away from a security-focused team member. Many technology teams are already overloaded far beyond 100%, so lots of false positive notifications can lead to alert fatigue and burnout. In addition, 38% of respondents said they would consider changing tools to gain greater breadth of infrastructure coverage, which shows that organizations are gaining a greater understanding that they need to protect not only their servers but also their switches, storage and other infrastructure-related items.
Joe Dibley, Security Researcher at Netwrix

What would encourage your organization to change its current vulnerability assessment solution?

^[1]Source: Gartner Press Release, “Gartner Forecasts Worldwide Security and Risk Management Spending to Exceed $150 Billion in 2021”, May 17, 2021. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.