Hi,
I'm guessing most of you have already seen Verizon's new DBIR. If not, it's worth a read.
I don't want to summarize the report. Plenty of people have already done that.
Instead, I want to focus on one finding that immediately made me think about application security.
Here's the logic:
• Vulnerability exploitation is now the #1 initial access vector (31% of breaches).
• Organizations fully remediated only 26% of critical vulnerabilities.
• The median time to remediate them increased to 43 days.
• Organizations also had 50% more critical vulnerabilities to deal with than last year.
To me, these numbers tell a very simple story.
The challenge is no longer just finding vulnerabilities.
The challenge is that organizations simply can't patch everything fast enough.
That creates an exposure window between discovering a vulnerability and being able to safely deploy the fix.
Why am I sharing this?
Because sooner or later, every security team has to explain why patching alone isn't enough, and why they need budget for additional controls.
These four numbers explain it better than almost any marketing slide could.
They're not an argument against patching.
They're an argument for protecting the business while patching is still in progress.
I'm curious... if you had to explain this challenge to your CEO in one sentence, what would you say?
Stay safe and proactive
Sharon.