Qualys today launched a platform that aggregates signals from a wide range of disparate sources to measure and score risks.

Announced at the 2023 Qualys Security Conference (QSC), the Qualys Enterprise TruRisk Platform provides a framework to centralize risk management. Risk inputs from more than 25 threat intelligence feeds can now be consistently scored in a way that will make it simpler to prioritize remediation efforts.

Qualys CEO Sumedh Thakar told conference attendees that organizations today are overwhelmed by all the cybersecurity issues that need to be addressed. The challenge is that resources are finite, so organizations need to find a way to prioritize remediation efforts on high-risk vulnerabilities if they hope to reduce the number of successful attacks, he said.

Unfortunately, too many organizations are wasting time addressing low-level risk issues rather than vulnerabilities that are being actively exploited, he added.

Risk management tools play a critical role in enabling organizations to calculate cybersecurity risks and then communicate what specific steps should be taken to, for example, apply a patch to remediate a vulnerability.

If those steps are not taken, business and IT leaders may determine that investing in cybersecurity is not effective as the organization continues to be victimized. If remediation is not done, it won’t matter how good a job the cybersecurity teams do, noted Thakar.

Of course, IT teams are often hesitant to apply patches for fear of breaking applications. Risk management tools make it simpler for cybersecurity teams to argue their case for addressing issues based on the actual operational risk to the business rather than simply relying on vulnerability severity scores. The Qualys Threat Research team ran over 2.6 billion vulnerability scans across 60 million assets, and found that 2.1 billion of those scans were scored as ‘critical’ or ‘high’ using the Common Vulnerability Scoring System (CVSS).

However, upon further contextual review, only 603 million, or less than a third, were truly high-risk. Qualys researchers also found that CVSS rated 87 million vulnerabilities as ‘low’ or ‘medium’ risk. In contrast, TruRisk rated them as ‘high’ or ‘critical.’

Qualys has been making the case for automating patch management, with more than 54 million patches applied using its agent software in the last year. In addition, Qualys is now surfacing other recommendations to remediate vulnerabilities in a way that doesn’t necessarily require a patch, said Thakar. Additionally, Qualys is also working toward applying artificial intelligence to the data it collects to make it easier to identify vulnerable platforms.

However, if IT leaders resist those remediation efforts, cybersecurity leaders should require them to apply their signature to a document that confirms they were advised of the level of risk, he added.

Cybersecurity teams need risk management tools that will enable them to break down the silos that prevent far too many well-known vulnerabilities from being remediated, said Thakar.

More CISOs than ever today report to the CEO and have regular briefings with boards of directors. However, that has not improved cybersecurity posture management, because risks are not being explained in terms business leaders can appreciate.