Imagine you run the cybersecurity department with a limited budget. You have certain functions that you are obligated to complete in order to meet compliance requirements, and one of those is vulnerability management. I know—hard to imagine, right? Most of us have felt daunted by the sheer volume of vulnerabilities we need to manage. Adding to this is the fact that you must make sure your scans run smoothly, manage authentication and occasionally remediate vulnerabilities. It is essential to get every bit of value or return on investment (ROI) you can from the tools you have. To demonstrate the ROI of your vulnerability management tools, you need to illustrate the value of the operational expense as compared to the value it has on operations. And this is where a key challenge lies: how do you improve ROI on a tool that does not directly influence organizational revenue?

Measuring ROI

To answer this question, you should first establish a means for measuring ROI. For vulnerability management tools, ROI is primarily shown in the form of risk reduction. As long as a team can show that they are reducing risk more than they previously were, they are improving their ROI. Modern vulnerability management tools have a built-in risk scoring system with which to measure this improvement. But it can be calculated monetarily as well: estimate the cost of a data breach and multiply that value by the likelihood of the breach happening during a given period of time. Oftentimes these measurements are cumbersome, time consuming and inaccurate. These shortfalls in the monetary calculation are the reason the risk scoring functions have been added to the vulnerability management tools.

Hacks to Improve Your ROI

Now that you have some understanding of how to measure ROI, below are some tips to maximize it.

Living off the Land

The first hack is to use the risk measurement tools your solution provides. This will save you a substantial amount of time, but still allow you to show your progress in risk reduction. Sometimes these numbers are hidden behind an additional paywall, but it is probably worth the extra cost in the time savings alone. This first recommendation may look like cheating, but a lot of hacks are really about using every part of your tool in order to maximize the value. This is part of “living off the land,” or using what is available to you already to accomplish your goals.

The next living-off-the-land hack involves using a public resource. According to the 2024 Verizon Data Breach Investigations Report, almost one third of cyberattacks included either ransomware or extortion. The Optiv 2024 Industry Threat Profile also identifies ransomware as a ubiquitous threat across all identified industry verticals. However, there may still be too much to remediate in order for organizations to reasonably reduce their risk for ransomware or extortion attacks. With CVE.org reporting 28,961 CVEs published in 2023 the volume of work involved in keeping up is untenable. And that number is growing every year. For instance, as of the end of the third quarter of 2024, there have been already 29,004 published CVEs. That is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of vulnerabilities in their Known Exploited Vulnerabilities Catalog, which are known to be exploited in the real world. That count reduces the highest-priority vulnerabilities in this example to under 1,200. Using these threat indicators makes vulnerability prioritization and remediation much more accomplishable. CISA’s list is an important tool in helping organizations reduce their risk of high-priority vulnerability exploitation.

The final living-off-the-land hack highlights another great feature included with many vulnerability management tools: policy compliance. In this case, policy compliance involves measuring the configuration of assets against a standard policy, which can be a common public standard like CIS benchmarks or DISA STIG, or it could be a custom policy you define. Not all vulnerability management software comes with this feature, and others charge an extra fee for its usage, but these policies are made to harden your assets against attack. Some vendors will even use the results to adjust the severity of vulnerabilities that it can see are mitigated by the hardening process. Policy compliance can also reduce your risk of ransomware, zero days and other emerging threats.

Special Uses

Some of the best ways to maximize ROI are to use the product features to improve other processes. For example, teams can enhance asset management processes by integrating their configuration management database (CMDB) with their vulnerability management software. This allows teams to find new assets that need to be added to the CMDB or discover configuration changes that need to be updated to maintain the CMDB. This function is improved when using discovery scans and passive sensing. Passive sensing is a powerful tool that can even uncover hard-to-find rogue assets sending communications on the network.

External attack surface management (EASM) tools are also common add-on tools that can quickly reduce risk and significantly improve your ROI. EASM tools can help you find public assets that are not currently being managed. It does this by using open-source intelligence (OSINT) to discover assets related to your public domains and IP addresses. EASM resources can even find vulnerabilities that are open to the world and ready to be exploited. With EASM, you can reduce your attack surface, discover and prioritize public vulnerabilities and gain insight into new threats as they arise.

Conclusion (TLDR)

Vulnerability management is a need for everyone, and in these tight times, you need to be able to get the most out of every dollar you spend in your organization. By using the risk evaluation tool built into your vulnerability management solution, you can better measure your risk while spending less time doing it. You can also get the most out of the valuable time of your systems engineers and other support staff by prioritizing vulnerability remediations based on actionable threat landscape guidance documented in resources like the CISA Known Exploited Vulnerabilities Catalog. Policy compliance is available through many tools and can mitigate current and emerging threats, greatly improving your ROI for the tool. Integration with your CMDB can help keep your scanning and CMDB updated. Finally, EASM, despite the additional costs, can keep you up to date on the vulnerabilities that are most likely to be exploited. With an EASM tool, you can discover and prevent attacks from happening, even if you previously did not even know that your organization owned the associated risk. Implement these tips, and you can see a noticeable reduction in your risk, while lowering your total costs and time required to act faster on the highest risks—all of which greatly improve your ROI.