Vulnerability management complexity is leaving enterprises at serious risk
Fragmented data and siloed processes mean remediation is taking too long


Most organizations are failing to remediate critical vulnerabilities quickly enough, with nearly seven-in-ten saying it takes them more than 24 hours.
According to new research from Swimlane, fragmented data from multiple scanners, siloed risk scoring, and poor cross-team collaboration means organizations are increasingly exposed to breaches, compliance failures, and financial penalties.
Michael Lyborg, CISO at Swimlane, said this confluence of issues and the “growing complexity” of vulnerability management has prompted a widespread rethink of how enterprises approach dangerous flaws.
"It’s no longer just about patching vulnerabilities — it’s about prioritizing the ones that matter most to your operations. With businesses losing an estimated $47,580 per employee each year due to manual tasks, organizations can no longer afford to operate in the reactive mode of the past."
The main reason for failures in prioritization is a lack of context or accurate information, cited by 37%, with 35% saying that's the primary reason for delays in fixing vulnerabilities too.
More than half of organizations still lack a comprehensive system for vulnerability prioritization. And while nearly half (45%) use a hybrid approach combining manual and automated processes for vulnerability detection, seven-in-ten rely on tools like cloud security posture management, and a similar number use web application scanners.
These manual processes are using up significant resources, the study noted, with 57% of security teams dedicating between a quarter and half of their time to vulnerability management operations.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
More than half spend over five hours a week consolidating and normalizing vulnerability data, while a similar number said the limited usefulness of scanner results means they need to use additional tools and processes.
Nearly two-thirds said they weren't confident that their vulnerability management programs can meet regulatory audit requirements, and 73% expressed concern over potential fines.
Similarly, six-in-ten reported that siloed vulnerability management practices are creating inefficiencies and exposing their systems to potential security risks.
"Smarter prioritization and automation are no longer optional — they are essential to reducing vulnerabilities, preventing breaches and ensuring continuous compliance," said Cody Cornell, co-founder and chief strategy officer at Swimlane.
RELATED WHITEPAPER
"By blending intelligent automation with human expertise, vulnerability management teams gain the clarity they need to act decisively. Centralizing data and responding in real-time isn’t a luxury — it’s a business imperative that minimizes risk and frees up time to focus on the next challenge."
Last year, researchers at Black Duck found that the utilities sector was the worst performer in dealing with security flaws, with an average of 876 days to close critical vulnerabilities in medium-sized sites. The education sector was also slow.
Perhaps because of the sector's heavy regulation, healthcare organizations were quicker to act, with an average of 87 days to close critical security vulnerabilities for small sites, 30 days for medium sites, and 20 days for large sites.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Intel layoffs confirmed as CEO eyes 'sustainable growth'
Intel’s new CEO Lip-Bu Tan has confirmed the company will be cutting its headcount in response to sluggish revenue.
By Jane McCallion
-
Criminals target APIs as web attacks skyrocket globally
News More than a third of web attacks target APIs as AI expands attack surfaces and brings new security challenges
By Emma Woollacott
-
IT & Security: The Critical Alliance Against Cyber Threats
Actionable tips for creating a unified defense
By ITPro
-
Device Management Is a Losing Battle
Discover the winning strategy to regain control
By ITPro
-
Stronger Together: Why IT-Security Collaboration Drives Greater Security and Efficiency
Discover why unification is the key to scalable, consistent security
By ITPro
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunities
News Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
By Ross Kelly
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
‘Insiders don’t need to break in’: A developer crippled company networks with malicious code and a ‘kill switch’ after being sacked – and experts warn it shows the huge danger of insider threats
News Security experts have warned ITPro over the risks of insider threats from disgruntled workers after a software developer deployed a 'kill switch' to sabotage his former employer’s networks.
By Ross Kelly
-
Law enforcement needs to fight fire with fire on AI threats
News UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
By Emma Woollacott
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion