Most organizations are failing to remediate critical vulnerabilities quickly enough, with nearly seven-in-ten saying it takes them more than 24 hours.
According to new research from Swimlane, fragmented data from multiple scanners, siloed risk scoring, and poor cross-team collaboration means organizations are increasingly exposed to breaches, compliance failures, and financial penalties.
Michael Lyborg, CISO at Swimlane, said this confluence of issues and the “growing complexity” of vulnerability management has prompted a widespread rethink of how enterprises approach dangerous flaws.
"It’s no longer just about patching vulnerabilities — it’s about prioritizing the ones that matter most to your operations. With businesses losing an estimated $47,580 per employee each year due to manual tasks, organizations can no longer afford to operate in the reactive mode of the past."
The main reason for failures in prioritization is a lack of context or accurate information, cited by 37%, with 35% saying that's the primary reason for delays in fixing vulnerabilities too.
More than half of organizations still lack a comprehensive system for vulnerability prioritization. And while nearly half (45%) use a hybrid approach combining manual and automated processes for vulnerability detection, seven-in-ten rely on tools like cloud security posture management, and a similar number use web application scanners.
These manual processes are using up significant resources, the study noted, with 57% of security teams dedicating between a quarter and half of their time to vulnerability management operations.
More than half spend over five hours a week consolidating and normalizing vulnerability data, while a similar number said the limited usefulness of scanner results means they need to use additional tools and processes.
Nearly two-thirds said they weren't confident that their vulnerability management programs can meet regulatory audit requirements, and 73% expressed concern over potential fines.
Similarly, six-in-ten reported that siloed vulnerability management practices are creating inefficiencies and exposing their systems to potential security risks.
"Smarter prioritization and automation are no longer optional — they are essential to reducing vulnerabilities, preventing breaches and ensuring continuous compliance," said Cody Cornell, co-founder and chief strategy officer at Swimlane.
RELATED WHITEPAPER
"By blending intelligent automation with human expertise, vulnerability management teams gain the clarity they need to act decisively. Centralizing data and responding in real-time isn’t a luxury — it’s a business imperative that minimizes risk and frees up time to focus on the next challenge."
Last year, researchers at Black Duck found that the utilities sector was the worst performer in dealing with security flaws, with an average of 876 days to close critical vulnerabilities in medium-sized sites. The education sector was also slow.
Perhaps because of the sector's heavy regulation, healthcare organizations were quicker to act, with an average of 87 days to close critical security vulnerabilities for small sites, 30 days for medium sites, and 20 days for large sites.
-
The move to a digital network and its role in the bigger picture of achieving true digital transformation: how SMBs can set themselves up for successSupported Beyond the dial tone, the digital switchover is the key to SMB success
-
Middlesbrough Council boosts cybersecurity spending, strategy in response to repeated cyberattacksReviews Councils across the UK have publicly struggled with maintaining services in the face of major cyber disruption
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
