68% fail in urgent vulnerability management: report

A recent report from Swimlane has found that 68% of organisations fail to resolve critical vulnerabilities within 24 hours, highlighting a significant challenge in vulnerability management processes.

The report, titled "Under Pressure: Is Vulnerability Management Keeping Up?", presents data demonstrating how fragmented information from multiple scanners, siloed risk scoring, and insufficient cross-team collaboration are increasingly leaving organisations vulnerable to breaches, compliance issues, and financial penalties.

With cybersecurity threats continually evolving, security teams are finding it difficult to manage growing volumes of risk effectively, often with outdated tools and systems. To gain insight into these issues, Swimlane conducted a survey of 500 cybersecurity decision-makers across the United States and the United Kingdom to evaluate current vulnerability management strategies.

Michael Lyborg, Chief Information Security Officer at Swimlane, commented on the complexity firms are facing, stating, "The growing complexity of vulnerability management is pushing organisations to rethink how they approach organisation-wide security, risk and compliance strategies. It's no longer just about patching vulnerabilities — it's about prioritising the ones that matter most to your operations. With businesses losing an estimated USD $47,580 per employee each year due to manual tasks, organisations can no longer afford to operate in the reactive mode of the past."

The report notes a key obstacle is the lack of context in prioritising and remediating vulnerabilities, with 37% identifying it as an obstacle in prioritisation and 35% noting its impact on remediation efforts. Furthermore, 55% of organisations lack a comprehensive system for vulnerability prioritisation, relying instead on a mix of manual and automated processes.

Manual vulnerability management tasks are consuming substantial resources, with 57% of security teams spending 25–50% of their time on these operations. Over half of respondents report spending more than five hours a week consolidating and normalising vulnerability data, with 51% indicating scanner results often require additional tools and processes to be useful.

Confidence in meeting regulatory compliance is low among organisations; nearly two-thirds expressed doubt in their programmes' capabilities to pass regulatory audits, and 73% are concerned about potential fines due to inadequate vulnerability management practices.

Siloed practices in vulnerability management are remarked upon by 59% of respondents who noted these approaches lead to inefficiencies and expose systems to increased security risks.

Cody Cornell, Co-Founder and Chief Strategy Officer of Swimlane, emphasised the necessity of smarter approaches in handling vulnerabilities, asserting, "Smarter prioritisation and automation are no longer optional — they are essential to reducing vulnerabilities, preventing breaches and ensuring continuous compliance. By blending intelligent automation with human expertise, vulnerability management teams gain the clarity they need to act decisively. Centralising data and responding in real-time isn't a luxury — it's a business imperative that minimises risk and frees up time to focus on the next challenge."

This study reflects the urgent need for organisations to adapt their vulnerability management practices to better address the persistent threats posed by evolving cybersecurity challenges.