SOURCE: Aberdeen Group

September 10, 2008 12:36 ET

Most Companies Failing to Keep Up With Threats and Vulnerabilities

Best-in-Class Performance Yields Positive Return, but Others Are Losing 8% per Year

BOSTON, MA--(Marketwire - September 10, 2008) - Aberdeen, a Harte-Hanks Company (NYSE: HHS), today announced the publication of a new benchmark research report on "Vulnerability Management: Assess, Prioritize, Remediate, Repeat." When factoring in the estimated costs incurred from actual exploits of vulnerabilities -- i.e., those costs not avoided, in spite of their existing Vulnerability Management (VM) initiatives -- Best-in-Class organizations realized an 8% annual return on investment. All other respondents, however, realized a negative 8% per year return. In other words, in spite of their investments in managing threats and vulnerabilities, the majority of organizations are currently not able to keep up. To obtain a complimentary copy of the report, visit:

Vulnerability Management, as much as one may dislike the thought of having to do it, is a necessary function for any organization with business operations that involve Internet-facing networks, computers, and application software. In other words, it's necessary for just about every company, of any size. With an average of over 120 new threats and vulnerabilities emerging every week, Vulnerability Management must be accepted as essential. Aberdeen's research confirms that the best results are achieved by making it as efficient and cost-effective as possible:

--  Not all vulnerabilities and threats need to be identified and tracked 
    -- just those that are relevant to the organization's IT assets.
--  Not all vulnerabilities and threats need to be addressed with the same
    degree of urgency -- prioritization should be determined based on the level
    of risk and the business value of the IT assets in question.
--  Not all remediation need to be based on deployment of software patches
    or configuration updates (although these processes should be automated to a
    much higher degree than that currently indicated by the research) --
    compensating controls can also be considered in circumstances other than
    those where no patches or updates are available.

"Aberdeen's research confirms that improving capabilities in assessing, prioritizing, and remediating threats and vulnerabilities pays off in two ways," said Derek E. Brink, vice president and research fellow for IT Security, Aberdeen. "First, it reduces the costs inflicted by the flood of new threats and vulnerabilities that emerge on a weekly basis. Second, it reduces the total cost of Vulnerability Management, which frees up precious resources to invest in more strategic IT initiatives."

Companies should also accept that Vulnerability Management is a never-ending process, and that the cycle of "assess," "prioritize," "remediate" must be continuously repeated. Through better security governance (allocation of limited IT resources) and risk management (prioritization based on business value and the organization's appetite for risk), Best-in-Class performance in Vulnerability Management frees up limited IT resources to invest in projects more directly tied to the "rewarded risks" of innovation and strategic growth.

A complimentary copy of this report is made available due in part by the following underwriters: Rapid7 LLC and Shavlik Technologies. To obtain a complimentary copy of the report, visit:

End-user organizations who would like to participate in a related survey for research on Unified Threat Management are encouraged to do so by visiting

To access all of Aberdeen's complimentary research please visit

About Aberdeen Group, a Harte-Hanks Company

Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen™ for insights that drive decisions.

As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information - Opportunity - Insight - Engagement - Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to

© 2008 AberdeenGroup, Inc., a Harte-Hanks Company
451 D Street, Suite 710
Boston, Massachusetts  02210-1928
Telephone: (617)854-5200
Fax: (617) 723-7897

Contact Information