Organisations are struggling to prioritise vulnerability patching appropriately, leading to situations where everything is a crisis, which helps nobody, according to a report.
Organisations are struggling to prioritise vulnerability patching appropriately, leading to situations where everything is a crisis, which helps nobody, according to a report.
Cyber security professionals tasked with vulnerability patch management and roll-out duties say they are struggling to effectively prioritise critical updates and tend to fall back on the approach of describing ‘everything’ as a priority, an approach described as completely unsustainable, according to a new report compiled by Ivanti.
In its new 2025 Risk-based patch prioritisation report, released this week, Ivanti lamented a lack of industry standard ratings for vulnerabilities and patches, meaning users are left to compare and prioritise updates based on isolated recommendations.
Against factors influencing patch prioritisation, such as a vulnerability’s impact to critical systems, whether or not it is being actively exploited or has been detected by a vulnerability scanner, its CVSS score or vendor severity score, whether or not it needs to be patched for compliance reasons like inclusion in the CISA KEV database, or whether or not it has been identified as a priority by management, a majority of cyber pros said they rated all of the above as having either a high or moderate impact on their urgency.
“But when everything is a priority, nothing is a priority,” wrote the report’s authors, who said in light of these stats it was no surprise whatsoever that 39% of cyber pros said they struggle to prioritise risk remediation and patch deployment, and 35% said they struggled to maintain compliance.
