Bitsight Research Finds Organizations Failing to Keep Pace with the Increase in Cyber Vulnerabilities

Average vulnerability remediation rate across organizations is 5% per month

BOSTON – March 30, 2023 – Bitsight, a leader in detecting and managing cyber risk, today unveiled new research which found that the cybersecurity vulnerability remediation rate for over 100,000 organizations around the world currently sits at a critically low 5%. While vulnerability management is one of the most important things an organization can do to reduce the risk of experiencing a cybersecurity incident, this research shows the extent to which many organizations still struggle to implement an effective vulnerability management program.

These findings come as the number of disclosed vulnerabilities and known exploited vulnerabilities have increased over the last year; the modern organizational attack surface continues to expand with increased investments in cloud infrastructure, adoption of internet-connected devices, increased dependencies on third-party vendors and the growth of the remote workforce. This makes it difficult for organizations to properly identify enterprise assets and systems, let alone ensure they are kept secure by receiving the latest remediations.

“It’s clear organizations face significant challenges in discerning and managing vulnerabilities in their own organization and across their extended third-party ecosystem,” said Bitsight CTO Stephen Boyer. “Cybersecurity leaders need a complete view of their organization’s attack surface and better see where their cyber risk lies – including third-party risk – so they can protect their organizations and meet the expectations of critical stakeholders like the Board, investors, insurers, and regulators.”

To reduce overall cyber risk and foster trust within the organization, Bitsight recommends security leaders implement the following program items:

  • Prioritize vulnerability management – From the top-down, vulnerability management should be considered critical to organizational security. This means putting adequate resources into your program, including human resources, technology solutions, and pillars that guide governance.
  • Identify your attack surface – Lacking visibility into the internal and external assets comprising your attack surface leaves you vulnerable to cyberattacks; and failing to effectively manage your attack surface leaves your organization vulnerable to breaches, ransomware, and other cybersecurity incidents.
  • Understand third-party cyber risks – A successful attack on your third-party suppliers and vendors could potentially result in business disruption, financial loss, reputational harm, and even compromise your internal systems and data.
  • Communicate effectively with stakeholders – As the number of stakeholders concerned about cybersecurity grows to include the Board, executives, the capital marketplace and more, so do the expectations for effective management. Building, maintaining, and communicating a strong cybersecurity program is critical to establishing trust with these stakeholders.

For this study, Bitsight analyzed 140 medium, high, and critical software vulnerabilities across over 100,000 organizations around the world with varying rates of remediation at the time of observation.

For more information, the full study can be viewed here.

About Bitsight
Bitsight, a global cyber risk leader, transforms how companies manage cyber risk, performance, and exposure for themselves and their third parties. Global enterprises rely on Bitsight to protect their organization by making it possible to set standards, manage to those standards, and report on the results across their company and with business partners.

Bitsight’s applications are built on over a decade of technological innovation and trusted, high-quality data. With the largest ecosystem of users and information globally, Bitsight delivers a patented, universal risk standard that provides actionable insights to manage internal security performance, mitigate third-party risk, underwrite cyber insurance, and conduct cyber due diligence.

Bitsight is on a mission to free the global economy from the material impact of cyber incidents, empowering companies to make better cyber risk decisions and grow confidently in the digital economy. For more information, please visit