Recent benchmark research by IT PCG finds the level of automation used to find and fix vulnerabilities in IT systems is one of the primary factors contributing to more or less business downtime, more or fewer theft or loss of sensitive information, and more or less difficulty sustaining audit results.

The significant disparity in results between organizations experiencing the best outcomes—minimal downtime, data loss or theft, security and audit deficiencies— and those with the worst outcomes is directly related to the level of automation being employed to find and fix vulnerabilities in IT systems and applications. The results conclusively show that the automation of vulnerability management systems is highly correlated to reductions in unexpected business downtime as well as decreases in the loss or theft of sensitive information.

The full IT PCG report entitled, “Why Vulnerability Management Pays,” quantifies the areas of IT operations others find are most vulnerable to disruptions and exploitations, with the specific areas of greatest vulnerability being web systems—web sites, web browsers, email systems and applications, as well as user devices such as personal computers and mobile devices. Yet, while these are the areas of greatest risk they are not the sole portions of IT systems within organizations which are vulnerable to disruption or exploitation.

Organizations with the best outcomes are testing all production systems instead of only testing directly-accessible Internet-facing systems, including Web, Email, IT server, database, network, PC, and laptop systems among others. In addition, these organizations are testing for vulnerabilities weekly and bi-weekly instead of bi-monthly, quarterly and bi-annually.

The increased frequency of testing for vulnerabilities using more fully automated procedures explains why the best performing organizations are finding twice as many vulnerabilities as well as reducing the number of IT systems being impacted by vulnerabilities by a factor of two.

The research report also covers financial exposures and risks being experienced by organizations, as well as the financial returns that easily exceed 150 percent annually to automate the procedures to find and fix vulnerabilities.