State of Vulnerability Management: Results of the 2019 SANS Survey

Bethesda, Md. – Organizations are doing many positive things when it comes to vulnerability management. But there is room for improvement, particularly with regard to collaboration of IT and security teams, according to results of the SANS 2019 Vulnerability Management Survey to be released by SANS Institute on a two-part webcast Tuesday, April 9, 2019, and Wednesday, April 10, 2019.

“Continuous scanning has been a very contentious issue,” according to SANS fellow instructor and survey advisor David Hoelzer. “Because it is a core component in vulnerability management, it is important that organizations scan frequently enough to ensure security without overwhelming analysts. Automation is key to that mission.”

Only 7% of respondents do not perform any vulnerability scanning within their organizations, with 81% performing some level of automated scanning. This year’s results reveal that 28% perform continuous scanning—an increase of more than 200% compared with the results from our 2015 (13%) and 2016 (11%) surveys—to reduce the time between scans, giving an organization a more accurate picture of their environment.

“Some of the biggest concerns reported with regard to vulnerability management arise when the appropriate teams are not involved or are unaware of technology deployments,” says SANS instructor, analyst and survey author Andrew Laman. “It has never been easier to bring new applications and services online without the appropriate oversight, potentially exposing organizations to unintended vulnerabilities and risks.”

Vulnerability management resided mostly within information security departments (48%), while the 82% of the respondents held IT responsible for mitigating and/or remediating the vulnerabilities. Effective communication and efficient sharing of vulnerability information is key to remediating vulnerabilities. Organizations share the information in various ways: 63% of the respondents used a ticketing system to share vulnerability scanner results, with 42% manually creating tickets. Integration with ticketing systems can help reduce the manual overhead of ticket creation, but should be balanced with the goal of effective communications. If automated ticket creation does not include key information—such as risk ratings or prioritization—organizations may not handle their remediation efforts with the correct level of urgency.

Laman concludes, “The separation of responsibilities is important, but cross-team communication is critical. Effective communication and efficient sharing of vulnerability information is key to remediating vulnerabilities.”

Full results will be shared during a two-part webcast at 1 PM EDT on Tuesday April 9 and Wednesday, April 10, sponsored by Balbix, Bromium, Tenable and Veracode, and hosted by SANS. Register to attend the April 9 webcast focusing on the current state of vulnerability management at and the April 10 webcast focusing on the vulnerability practices of tomorrow at

Those who register for the webcast will also receive access to the published results paper developed by SANS instructor and analyst and network security expert, Andrew Laman, with advice from SANS fellow instructor David Hoelzer.

Tweet This:

Explore current vulnerability management practices | Part 1 of the Vulnerability Survey Results | 4/9 @ 1PM ET |

Learn about risk-based vulnerability management | Part 2 of the Vulnerability Management Survey Results | 4/10 @ 1PM ET |

SANS 2019 Vulnerability Management Survey results presented @ 1PM | Register for Part 1: 4/9 | Part 2: 4/10

SANS instructors Andrew Laman and David Hoelzer present 2019 Vulnerability Survey results. Register for 4/9 and 4/10 webcasts: and

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (