Rising software vulnerabilities strain security teams & budgets

Security teams are facing increased pressure from the rising number of identified software vulnerabilities, with nearly half of surveyed organisations reporting that the strain is affecting both operational security and staff wellbeing, according to new research by Hackuity.

Volume and burnout

The report, based on responses from 200 IT security decision-makers in the UK and APAC regions, highlights widespread challenges with managing the growing volume of Common Vulnerabilities and Exposures (CVEs). Nearly half (46%) said the volume of vulnerabilities is stretching their teams' resources. Staff burnout was also cited by 38% of respondents, while 26% attributed at least one data breach in their organisation to the pressure created by mounting vulnerabilities.

Additional organisational impacts include delayed incident response reported by 36% and missed security alerts by 33% of respondents. The research found that 36% of organisations had incurred regulatory fines as a direct consequence of vulnerability management deficiencies.

Process limitations

The findings show that while 77% of organisations have formalised approaches for handling vulnerabilities, only 36% rely primarily on a risk-based model. Risk-based approaches typically take into consideration factors such as asset criticality, the exploitability of the vulnerability, and its business impact.

Vulnerability management also appears to be under-resourced and lacking executive focus. The survey found that 60% of decision-makers believed vulnerability management does not receive the same level of attention as other IT security priorities.

Remediation delays

The time taken to address critical vulnerabilities remains a persistent issue. The mean time to remediation (MTTR) for the most severe vulnerabilities was reported as four weeks. However, for 21% of organisations, this period stretched to as long as three months.

Barriers to improvement

Respondents identified operational constraints (43%) and limited budgets (41%) as key barriers to effective vulnerability management. Staff shortages and high turnover are also hampering progress, with 29% citing lack of in-house skills and 25% noting that frequent turnover makes it difficult to implement lasting improvements.

Leadership perspectives

Organisational leaders are being urged to review how they support security teams as the frequency and complexity of threats increase. The research points to the need for improved prioritisation and better use of intelligence to ensure resources are used effectively.

"We know that teams are feeling the pressure right now - but what's most concerning is the knock-on effect this is having on organisations and on the team's well-being. From missed alerts to fines, there are real consequences at play when vulnerabilities aren't managed in a way that's making the best use of team's time and expertise. The nonstop flood of alerts isn't just stressful, it's costly," said Svlvain Cortes, VP Strategy, Hackuity.

Only a minority of organisations surveyed have shifted to risk-based vulnerability management as their main approach, despite evidence suggesting improved results and reduced exposure to security threats.

"Security leaders need to look at how they're equipping their teams to make sure they can keep pace with the rising volume and complexity of vulnerabilities. Without context and intelligence around the alerts, they risk wasting valuable time and resources chasing down threats or missing alerts that could pose the greatest risk for their organisation," said Cortes.