Intigriti has published Sharpening SLAs for Vulnerability Management, a new report highlighting the need for strong cybersecurity practices and service-level agreements (SLAs) for vulnerability management. This report combines qualitative and quantitative research, featuring insights from 250 infosecurity professionals—including CIOs, CTOs, security analysts, and engineers—across 12 industries in the UK and the US.
The UK demonstrates a more rapid response and remediation rate for critical vulnerabilities, suggesting a more proactive and efficient approach to cybersecurity threats. Conversely, the US excels in automation, vendor collaboration, and conducting thorough cost-benefit analyses, indicating a more strategic and comprehensive approach.
Key findings include:
Vulnerability management challenges and regional differences
Initial acknowledgment: Globally, 75% of businesses fail to respond to critical vulnerabilities within 24 hours—consequences could include customer dissatisfaction, loss of business, and reputational damage
In the UK, 29% respond within 24 hours compared to 20% in the US
Mitigation: More UK respondents (82%) aim to resolve a critical to exceptional vulnerability within 15 days compared to the US (69%)—a promising start, but more organisations should aim for this target
Disclosure: The UK is also faster at disclosure, with 73% disclosing a vulnerability within 15 days versus 66% in the US
Stakeholder consultation when assessing critical vulnerabilities
Over half (52%) of companies skip consulting their executive leadership when facing critical vulnerabilities, and only 44% involve legal and risk management teams. This oversight is concerning, as regulatory bodies must be informed about such vulnerabilities.
Additionally, 36% don’t consult IT infrastructure teams, missing out on the expertise of network engineers, system administrators, and application developers. These professionals could help speed up the mitigation process, as they may have written the code from which the vulnerability arose.
Supply chain relationships and cost-benefit tracking
43% of organisations fail to conduct regular cost-benefit analyses to weigh up vulnerability remediation expenses against the costs of a data breach. The US outperforms the UK in this area, with 65% of organisations conducting analysis regularly (i.e. annually) compared to 47% in the UK. Such analysis is crucial for ensuring safety and justifying cybersecurity investments.
There are also big reporting gaps: two-thirds (66%) of US respondents automate tracking and reporting on compliance with disclosure SLAs for contracted vendors, compared to just 32% in the UK. Nearly half (49%) of UK respondents rely on manual reporting.
Building trust with transparency
More positively, 88% of respondents share SLAs—66% with external stakeholders. The remaining 12% cite compliance concerns (6%), minimizing PR issues (5%), and withholding knowledge from competitors (4%) as reasons not to share SLAs. Taking a more proactive cybersecurity stance is itself a competitive advantage and fosters trust with customers and new business prospects, so these fears are misguided.
Commenting on this news, Stijn Jans—CEO and Founder at Intigriti—said: “At Intigriti, we understand the immense pressure on cybersecurity leaders to defend against a rapidly evolving threat landscape with limited resources. Still, failing to plan is planning to fail, which is why SLAs are so crucial for protecting against cyber threats. Our report provides clear and actionable standards for performance and accountability, giving businesses a competitive edge in the process. By equipping security teams with tools and knowledge, we can turn vulnerabilities into victories. Collectively, we can ensure a safer digital future for all—but there’s no time left to waste.”
Thankfully, cybersecurity budgets are increasing, with Gartner predicting a 14.3% rise in global security and risk management spending—reflecting the need to address expanding attack surfaces and comply with new regulations. As well as new research, the report outlines the diary of a disclosure, illustrating the journey to an effective response. Key takeaways include:
More urgency is needed for the initial response to vulnerability reports
Structured and measurable actions are vital for protecting against evolving cyber threats
Ethical hackers can help security teams detect vulnerabilities faster
Protective measures against cyber criminals must be equally dynamic and robust