A growing number of companies are adopting risk-based vulnerability management programs to handle the endless wave of new vulnerabilities being disclosed every day — more than 2,800 in the first three months of 2021. Yet, too often these programs make one critical error – they focus too much time on a risk score, and not enough time on the system itself.
That’s wrong, because it obscures vital context. By missing that context, organizations can miss prioritizing and patching vulnerabilities that are truly high-risk to their organizations.
Take, for example, the Common Vulnerability Scoring System (CVSS). When a hot new vulnerability garners mass attention, analysts often quote the vulnerability’s CVSS score.
Those comments fail to recognize that the distribution of CVSS scores isn’t a tidy bell curve…