International Cyber Expo International Cyber Expo
  • About Us
Tuesday, 7 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Visibility into vulnerabilities: 3 steps to improve software vulnerability management

A more efficient process is required to view, prioritize, and manage software vulnerabilities

by Bob Kelly
August 19, 2021
in Insight
Author Headshot
Share on FacebookShare on Twitter

Vulnerabilities in enterprise IT are everywhere. While it’s clear that they need to be addressed, how to do so isn’t as clear.

The sheer number of vulnerable software versions in an enterprise environment can be overwhelming, making it challenging to address them. The process requires time: to identify the need for an update, to create and test a successful update package, and then to deploy that throughout the environment. As a result, it isn’t realistic to believe that an organization with thousands of applications can simply keep all of them up-to-date. Instead, security typically drives a remediation process, issuing priorities to IT operations.

A more efficient process is required to view, prioritize, and manage software vulnerabilities—and lower the security risk to the entire organization. Here are 3 steps to improve vulnerability management.

1. Understand your end-of-life and end-of-support risk.

Cybersecurity risk is present throughout the IT stack, but the risk presented by end-of-life or end-of-support (EOL/EOS) software is particularly worth monitoring and mitigating. Any software that’s reached EOL or EOS must be considered vulnerable. Why? Because it is no longer receiving the attention necessary to qualify it as otherwise.

The Flexera 2021 State of IT Visibility Report found that operating systems and productivity software lead the pack in terms of EOL/EOS vulnerabilities. Across all categories, it is important to maintain detailed information about the specific versions and releases that you’re using. This can facilitate identification of areas that need attention. Monitoring EOL/EOS dates is also an important component of an overall software asset management (SAM) effort so you can stay ahead of what versions of products in your environment will reach EOL/EOS in the weeks ahead.

 

Graph of changes in IT decision making

 

Collaborating across the enterprise can help strengthen your EOL/EOS strategy. Even though lifecycle management impacts the whole organization, EOL/EOS data is often siloed within an organization. Instead, sharing it—including the EOL/EOS dates—among teams (including IT management and support, procurement, and finance) can help ensure your overall security stance.

2. Streamline IT decision making.

The top challenge in IT decision making is “not enough good-quality data,” cited as either somewhat of a challenge or a significant challenge by more than 4 out of 5 (81%) of survey respondents. The lack of this data slows the processes of making and implementing decisions related to vulnerability management.

Survey bar chart IT decision making

Integrating IT asset inventory data into vulnerability and application rationalization efforts is a crucial part of mitigating risk in an organization and prioritizing strategic initiatives. You can’t make decisions about what to protect if you don’t have visibility into your assets.

3. Rely on threat intelligence.

Rather than reacting when an exploit hits the news or something noteworthy suddenly appears as a critical event in need of attention, it’s important that IT operations establish a regular process for detecting, prioritizing, and remediating vulnerabilities as they are disclosed.

Two common approaches leave the majority of disclosed vulnerabilities unaddressed:

  • The most common way to prioritize patch activity is by prioritizing based on criticality score or Common Vulnerability Scoring System (CVSS) score, which ranges from 1 to 10. But this often doesn’t provide the best data on which to define remediation initiatives. Focusing on vulnerabilities with a CVSS score of 7 or more (which is a widely adopted best practice) only addresses about 50% of those vulnerabilities that are exploited. Most exploits actually have a “medium” CVSS score, between 4 and 7.
  • When companies don’t have good visibility into what vulnerabilities require their attention, they typically focus on well-known applications (including Adobe, Google, Java, Microsoft, and Mozilla). Focusing on vulnerabilities for the top 20 vendors, however, only addresses about 20% of exploits.

Today, threat intelligence is now widely preferred, as it offers a more impactful metric for security and IT teams to prioritization of remediation efforts. By relying on threat intelligence—which verifies, normalizes, and scores each vulnerability—you can focus on vulnerabilities that are actually being exploited in the wild. A consistent, methodical, repeatable process means that any critical vulnerability (or a vulnerability with a high likelihood of exploitation) can be addressed as a matter of routine. This allows you to allocate time and resources to patching the vulnerabilities that have evidence of exploitation and that pose the most critical risk to your environment. By prioritizing vulnerabilities effectively, you may drastically decrease risks while only patching 10–20% of those applications in need of remediation.

With sufficient visibility into the assets that exist in your environment—and the vulnerability and threat intelligence to identify what’s vulnerable and its associated risk—an organization can greatly reduce its security risk.

 

Contributed by Bob Kelly (@rwk), director of product management at Flexera

 

 

ShareTweet
Previous Post

Armis continues to expand in healthcare markets with appointment of new CTO for healthcare

Next Post

T-Mobile data breach impacts over 40 million users – Security Experts Have Their Say

Recent News

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

Mike Winston on Why Jet.AI Shifted From Aviation to AI Infrastructure

July 7, 2026
George Murnane’s One-Question Test for Real AI

George Murnane’s One-Question Test for Real AI

July 7, 2026
Registration Now Open for International Cyber Expo 2026

Registration Now Open for International Cyber Expo 2026

July 7, 2026
Forescout

Forescout recognised by NATO for cybersecurity capabilities across IT and OT environments

July 7, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol