CONTENTS
1. Executive Summary 3

2. Introduction 4

3. Understanding risk-based vulnerability management 5

4. Defining a good risk-based vulnerability management solution 8

5. Current State Analysis 10

6. Considerations while selecting a RBVM vendor 11

7. Four Best practices for an effective RBVM program 12

8. Survey Design and Implementation 14


1. EXECUTIVE SUMMARY
Cybersecurity is an ever evolving field. While enterprise investments in information security in India are increasing, the number
of security breaches and threats is growing as well. Why are we always playing catch-up against our adversaries? Are we guilty of
ignoring some seemingly foundational practices that hold the key to improving our security posture?

Vulnerability management (VM), an essential cyber hygiene practice followed by many organizations, is often confused with patch
management. VM is more than just patch management. Your VM strategy needs to change with your evolving IT landscape.
Organizations are embracing new virtual and cloud assets such as containers. Mobile devices are increasingly used to access
enterprise networks on the go. Periodic scanning of traditional assets is no longer enough to deliver the necessary visibility and
insight. But organizations still follow an ad hoc approach when it comes to developing and performing VM.

In this report, we have surveyed and studied the risk-based vulnerability management (RBVM) maturity of Indian organizations.
The report is an outcome of an in-depth survey of 180 IT and security leaders that covered various aspects of RBVM across the
entire VM lifecycle, from the discovery phase to the remediation phase.

The objective of the report is to highlight the importance of following a sound RBVM program, by analyzing the current state of
Indian organizations and their maturity in the adoption of VM. The report brings out the difference between vulnerability
assessment (VA), VM and RBVM. We also explore the factors to consider while deciding whether to outsource an RBVM solution
or keep it in-house and provide some best practices to keep in mind while implementing an RBVM program.

Tens of thousands of vulnerabilities in software and hardware are already known to exist; new vulnerabilities continue to be
discovered and exploited by attackers every day. Without careful and diligent attention, every organization is at serious risk of
cyberattack, data breach, brand damage and loss of business. Thus, every organization needs to identify and address these
vulnerabilities through a rigorous, careful and comprehensive security program to stay safe from attacks. Industry best practice
is to implement continuous and comprehensive risk-based VM; this survey highlights many areas where Indian organizations
need to improve in this regard.

KEY FINDINGS:
Top factors used in assessing and assigning risk to each vulnerability include threat and vulnerability intelligence feeds,
recommendations from a vulnerability management tool, product vendor rating and importance of an asset to the
business.

When it comes to risk-based prioritization versus threat-centric prioritization, 58 percent of the responses were towards
threat-centric prioritization. But only 33 percent selected risk-based prioritization. Remediation in most organizations
still largely depends on patch management.

The top areas where automation is used for remediation activities include creation of IT operations’ ticket management
system (87 percent), identifying superseded patches (60 percent) and automatic deployment of patches (54 percent).

37 percent of the companies in the survey stated that they prefer the right blend of in-house and outsourced services
for VM. 30 percent of the small-sized companies preferred keeping everything in-house, and this could mostly be
because of readily available off-the-shelf SaaS-based products.

As per the survey results, 17.2 percent of organizations still conduct ad hoc scanning. The results also shed light on the
regularity of scanning conducted. Most companies across sectors fall under the moderate (23.6 percent) to high (44.6
percent) category, where scanning is performed once a week (high) or once a month (moderate).


2. INTRODUCTION
Every industry is now witnessing the digital boom. Digital
transformation is driving growth and innovation for industry sectors
such as government, agriculture, pharma, and banking and financial
services (BFSI). But growth and innovation are not without risk, new   
threats emerge every day, which must be addressed.
  
Organizations today rely on both custom-designed and off-the-shelf
hardware and software to protect and secure their Information
   

Technology (IT) assets. This complex mix of digital compute platforms
and assets represents an organization’s ever-increasing attack  ­  

surface, where the assets themselves and their associated € ‚ ‚ ƒ  

vulnerabilities are constantly expanding, contracting and evolving.

„   ‚ 
Tens of thousands of vulnerabilities in software and hardware are
 

­ € ­
already known to exist; new vulnerabilities continue to be discovered - ‚ƒ„ 
 †
‡€€ ­ ˆ
 ‰

and exploited - by attackers every day. Without careful and diligent

attention, every organization is at serious risk of cyberattack, data
breach, brand damage and loss of business. Thus, every organization
needs to identify and address these vulnerabilities through a rigorous,
careful and comprehensive RBVM program to strengthen their
security posture.

“As the current cybersecurity threat landscape is uniformly evolving, organizations need to be proactive in their threat and vulnerability
management efforts. Assessment of assets and regularly maintaining their records is important to a strong RBVM foundation.
Prioritization of assets beyond the CVSS technique is another aspect to keep in mind to formulate a good RBVM program.”
- Sameer Ratolikar, Executive Vice President & CISO at HDFC Bank

DSCI and Tenable commissioned a detailed survey to understand where Indian organizations stand in terms of their RBVM program
maturity. The survey primarily covers topics around Indian organizations’ views on vulnerability management programs, the kind of
vulnerability assessment and RBVM solutions used, factors considered while evaluating vendors, and actions taken to remediate the
identified vulnerabilities.

This report is designed to enable IT security practitioners and leaders to:

Š‹ Š Š Š ŠŒ
Understand how Learn how their Explain the latest Reduce workload Implement
critical an effective cybersecurity developments in while offering global best
RBVM program is to program compares this space to their improved security. practices to
their organization’s to industry best business executives. ensure a
security. practices. comprehensive
RBVM program.


3. UNDERSTANDING RISK-BASED
VULNERABILITY MANAGEMENT
3.1 VULNERABILITY MANAGEMENT AND ITS COMPONENTS
The U.S. National Institute of Standards and Technology (NIST) defines a vulnerability as a “weakness in an information system,
system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”

The various components exposed to threats in an organization can range from the hardware and software products to improper
configurations of various IT assets: desktops, laptops, external “brought-in” mobile devices, browsers. It also includes
network-related assets such as servers, switches and routers. The cyberthreat landscape has been ever increasing and is now not
restricted to mere firewalls, servers and desktops alone. Cloud computing, adoption of internet of things (IoT) in the workplace,
increasingly complex IT systems, and increasing use of internet-connected operational technology (OT) and the web - all serve to
make companies increasingly exposed to vulnerabilities and risk of cyberthreats from various threat actors.

Every IT asset in the organization needs to be monitored on a timely basis and secured against any potential threats. Data threats,
breaches and risk exposure are all causes for concern. We believe it is vital for organizations to put into place a robust risk-based
vulnerability management program, to make the organization more proactive towards risks and mitigating them rather than
reacting to hacks, breaches and threats.

3.2 RISK-BASED VULNERABILITY MANAGEMENT –

STAYING A STEP AHEAD
Organizations initially relied on the traditional patch management
system, wherein patches were provided either by the IT team,
in-house or by vendors and third-party providers. While this system
relied on testing and ad-hoc vulnerability scanning, it was usually
reactive and left organizations to remediate post a breach or a
threat. This reactive approach was strengthened when companies
began simple ways of vulnerability assessment, which has now
evolved to timely and planned vulnerability scanning, patch
management and a proactive approach to remediation for security
and risk management.
RBVM is a comprehensive, end-to-end way of approaching
vulnerabilities and managing IT assets in an integrated,
systematic way. RBVM, unlike vulnerability management,
does not end at scanning and patching. It encompasses
constant monitoring of both old and new common
vulnerabilities and exposures (CVEs), involves prioritizing
critical vulnerabilities and provides a broader approach
and coverage to vulnerability management.
Risk-based vulnerability management puts the
control right in the hands of the organizations.

TIVE
 
     PROAC

E
REACTIV
Integrated,
end to end
Vulnerability Vulnerability
Automated assessment assessment
timely scans + +
Manual + Remediation Planned
Scripting scans Patch Remediation
and timely + Management
Ad hoc
patching Patch
patching
Management

RISK-BASED
PATCH VULNERABILITY VULNERABILITY VULNERABILITY
MANAGEMENT ASSESSMENT MANAGEMENT MANAGEMENT



 Œ
3.3 LOOKING THROUGH THE LENS –
RISK-BASED VULNERABILITY SCANNING IN INDIA
While nearly 36.9 percent of respondents said they do automated, scheduled scanning, nearly 17 percent said that they perform
ad hoc scanning, as needed. This is seen in sectors like healthcare, financial services and IT.

 
     
     

36.9% 26.1% 19.7% 17.2%

Once per week
(High), 44.6%

Bi-annually scans
(Very Low), 5.1% Automated, scheduled Ad hoc scanning
Automated, scheduled Automated scanning
scanning and ad hoc scanning on a continuous basis (as needed)

54.5% 13.6% 18.2% 13.6%

Every 1-2 days
(Very High), 10.2%
Quaterly
(Low), 16.6%
50% 30% 5% 15%

43.2% 21.6% 8.1% 27%

Once per month
(Moderate), 23.6%

All companies Healthcare Financial services IT companies

companies companies

  

The survey results also shed light on the regularity of scanning

Ad hoc scanning can leave
conducted. Most companies across sectors fall under the
moderate (23.6 percent) to high (44.6 percent) category, where
companies exposed and the
scanning is performed once a week (high) or once a month need for RBVM becomes
(moderate). The percentage of respondents who say they scan greater in these cases.
once a day remains relatively low at 10.2 percent.

  
  

52% 33%
26%
32% 29%

Assessment
of risks to
Availability of sensitive data
resources Prioritization
of cyber risks
Availability of
threat intelligence Comparison to peers
in other companies

  

Comprehensive solution or one basic scan template?

When asked about the types of scans their vulnerability scanner performed, exactly a third (33 percent) of respondents said they
use one comprehensive scan template containing all vulnerability detections for all assets. Almost a quarter of respondents (23.6
percent) said they use only one of the basic scan templates provided out of the box by their VA solution provider to conduct all
their scans.
Interestingly, the small-sized companies have resorted to using the basic scan templates provided by their VA solution. This could
be partly due to the notion amongst small and medium-sized companies that a basic scan template is easy to implement versus
using a customized and tailored solution.

 Ž
While implementing vulnerability scanning, companies find virus or malware infection in virtual servers an extreme threat to
effectively implementing vulnerability management and securing their organizations. This is followed by the issues of
vulnerability of business or web applications, and increasing difficulty of managing governance with cloud computing.

 
   

70%
 


49.5%

24.5% 25.5% 26.5% 26.5%

23.5%

20.0%

12.2% 12.2%
10.0%

Use one of the basic scan templates Use a variety of different out of the box Use customized and tailored Use one comprehensive scan
provided out of the box by our VA scan templates based on use case or need scan templates for specific template containing all vulnerability
solution to conduct all of our scans (Low) (Moderate) use cases (Low) detections for all assets (High)

  

While considering a VM solution’s scanning methodology, most organizations said it is essential to strategize and automate the
scanning in an enterprise environment (62 percent) and utilize automated actions to scan dynamic environments (53 percent).
Authenticated/credentialed scanning best practices are considered moderately important to the scanning methodology.

­  €‚ƒ
 
   

Extreme threat High threat Low threat

Companies were also surveyed on the kind of
Issue (% respondents) (% respondents) (% respondents)
VM solution they have currently implemented.
Virus or malware infection in virtual servers 66.9% 21.7% 3.2% Nearly two-thirds (60 percent) of respondents
said that their VM solution had been deployed
Vulnerability of business or web applications 56.7% 22.9% 3.2%
on a native cloud. This is followed by those
Increasing difficulty of managing governance with
45.2% 23.6% 12.7%
cloud computing
who have deployed a hybrid option (39
Huge number of new vulnerabilities discovered and
targeted every year
30.6% 29.3% 10.2% percent), and 26 percent who said they have
Increasing number of new technology platforms
22.3% 22.9% 19.7% their solution on-premises. The survey clearly
including cloud, virtualization, container and mobile computing
indicates that companies also rely on their
Compatibility issue with third-party security software 19.7% 14.6% 24.8%
cloud service provider for RBVM management.
Unknown malware or zero-day attacks 14.6% 16.6% 22.9%

Mistakes by employees 14.6% 15.3% 19.1%

  

„ 
   †    ‡ˆ

68%
67%  


49%
47% 46%
40% 40%
36%
28%
24%
18%

7% 6% 7%

0%
Our cloud service provider is We scan and remediate cloud We remediate cloud vulnerabilities We do continuous assessment We do not use cloud services
responsible for vulnerability vulnerabilities utilizing the same as updates are made available, but and report the issues
management process or non-cloud services we do not scan our cloud services

  

 ‘
4. DEFINING A GOOD RISK-BASED
VULNERABILITY MANAGEMENT
SOLUTION
A risk-based vulnerability management solution must take a 360-degree approach to identifying, assessing and mitigating risks
for a company. Vulnerability management must evolve from ad hoc assessment of vulnerabilities to a systematic, cyclical program
managed on a day-to-day basis to ensure organizations are well-protected and safe from threats.

4.1 RISK PRIORITIZATION – A LARGER, ALL-INCLUSIVE VIEW TO VM

Rating the risk of vulnerabilities is a critical factor in vulnerability management. Risk is the amalgamation of asset plus threat plus
vulnerability - viewed in totality. For example, if there is a vulnerability and no threat, it is considered a low risk. Similarly, if there
is a threat but no vulnerability, it will be scored a low risk, too. Finally, if a vulnerability and a threat both exist, but the asset value
is low, then the risk is low. Organizations need to identify their critical assets to prioritize remediation efforts and reduce the risk
of loss. Marrying a vulnerability rating with an asset criticality rating and understanding the business context is paramount to
developing your company’s RBVM program.

†  
 ‚
ˆ

Use of threat intelligence, Combination of CVSS Criticality of the IT

data science research, Ease of remediation CVSS score only
and asset critical assets to the business
asset criticality and CVSS

  

The survey results show that few companies rely only on the Common Vulnerability Scoring System (CVSS) score to assess risks.
Several other factors, such as threat intelligence, data science research and asset criticality, are also considered (shown in the
above figure).
When it comes to prioritizing threats, large and mid-sized companies mainly consider threat and vulnerability intelligence feeds,
along with recommendations provided by a vulnerability management tool to assess and assign risk to vulnerabilities. Small-sized
businesses take these factors into account as well, and they also acknowledge the importance of an asset to the business.
In rating the risk of vulnerabilities, most small-sized companies rely either on outside sources, such as threat and vulnerability
intelligence feeds or vendor risk-ranking of issues (40 percent), and also an informal risk-rating process with a multilevel rating
scale (40 percent). On the other hand, mid-sized and large companies preferred having a formal risk-rating tie-up process with a
multilevel rating scale.

‚ 
  While we believe risk-based

prioritization is the way
90%


  

85%

85%

81%

forward, at present the

78%
78%

76%

70%
70%

65%

65%

63%

survey shows only 33 percent

60%

55%

54%
50%

50%

49%
45%

of respondents are currently

20%

using it, while 58 percent of

respondents prefer
Scoring from threat Recommendation from Product vendor risk rating Importance of asset CVSS severity level

threat-centric prioritization.
and vulnerability the vulnerability to the business
intelligence feeds management tool

  

 ’
4.2 PATCH MANAGEMENT – IS IT THE ONLY WAY FOR REMEDIATION?
A good remediation strategy is as critical as an assessment for any organization. The survey responses around regularity of
patching in organizations show that patching in large and mid-sized organizations is done “weekly” while small organizations
resort to “monthly” patching. Most organizations rely on patching as the
primary method for mitigating vulnerabilities,
but almost no one surveyed had mature
„   
patching practices implemented on the
Very mature Moderate mature Not mature
(% respondents) (% respondents) (% respondents)
majority of their IT infrastructure. This
OSes (e.g., Microsoft, Linux, Unix, mac OS) 82.2% 14.6% 3.2% demonstrates a strong need for alternative
vulnerability mitigation strategies (such as
Physical security systems (e.g., cameras, badge readers) 75.8% 17.2% 7.0%
integration with IPS or WAF solutions for
Client-side business applications
75.2% 22.3% 2.5%
(e.g., Office packages, browsers, CRM, HR) “virtual patching”) until the underlying
Network equipment (e.g., routers, switches) 68.2% 26.1% 5.7% vulnerabilities themselves can be patched

Cloud services (e.g., IaaS, PaaS, SaaS) 59.2% 26.8% 14.0% Having a stable, regularly running RBVM
solution, along with tightly defined SLAs,
Server-side applications (e.g., Oracle, IBM, Apache, Microsoft) 58.6% 31.8% 9.6%
allows organizations to detect critical
Network security systems (e.g., firewalls, IDS / IPS) 56.7% 22.9% 20.4%
vulnerabilities in advance, and also work on
Client-side “other” (e.g., media players, social media apps) 56.1% 38.9% 5.1% mitigating them. Companies also implement

ICS systems and devices

other methods of mitigation, such as
50.3% 39.5% 10.2%
changing configuration settings, employing
Building control systems (e.g., HVAC, UPS, generator) 38.2% 40.1% 21.7%
network segmentation and segregating or
IOT devices (e.g., wallboards, TVs) 36.3% 31.2% 32.5% banning IP ranges. These are all viable ways to
stay ahead in terms of mitigating risks and
Mobile endpoints (e.g., smart phones or notebooks) 21.7% 29.9% 48.4%
managing remediation.
Business partner environments 20.4% 26.1% 53.5% Remediation in most organiztions
  
still largely depends on patch
management

4.3 ROLE OF AUTOMATION IN RBVM SOLUTIONS

Automation and artificial intelligence play a role in RBVM, too. Intelligent vulnerability solutions are the need of the hour. Less
reactive solutions - which integrate the various systems and components under one umbrella and apply both human expertise
and automation - offer a secure, proactive and process-driven approach.

€
  

When the processes from discovery to
87% Creation on IT operations’ ticket management system
remediation are long, tedious, and mostly
manual, the security and IT team’s
60% Identifying superseded patches experiences lag, putting undue pressure on
VM. By introducing automation, optimizing
repetitive steps, and reducing manual
54% Automatic deployment of patches
interventions, organizations can accelerate
the process of patching and overall RBVM. It
enhances and increases the speed of
46% Recommend remediation
on cases; criticality basis
information flow from the security teams to
the IT teams and back, thereby keeping
organizations updated against breaches and
40% Automation of validation for
vulnerability closures
threats.

  

 “
5. CURRENT STATE ANALYSIS
5.1 RISK-BASED VULNERABILITY MANAGEMENT MATURITY
The market for vulnerability management is growing in India. The developed nations, such as the U.S. and Western Europe,

witnessed stricter government regulations, which led to the early adoption of vulnerability management practices and evolved in

terms of VM. According to a Cisco report, 20.1 percent of all cyberattacks occurring in in 2018-19 were targeted towards BFSI

companies, making this the most prominent of all industry sectors.

Yet, according to our survey, even respondents in the BFSI sector still rely on a combination of in-house and external vendors for

their vulnerability management processes. One of the reasons for this could be budget constraints. The current state of adoption

of RBVM practices also varies widely based on company size.

While VM-as-a-Sevice
’‘“”Œ‘„†‹Ž
(VMaaS) can significantly
reduce the financial
Large Medium Small
burden of VM, small
 ‰Š‹ŒŽ‘ „ Œ‹

High 61.2% 52% 50%

companies need to be
educated about the
Moderate 18.4% 26.5% 20%
advantages of VM
Low 20.4% 21.4% 30% and the potential
costs of cyberattacks
resulting from
  
vulnerability exploits.

For example, when it comes to low-frequency scans, 20.4 percent of large companies cited a low scan rate/frequency, while
almost one third (30 percent) of the small companies indicated a low scan rate (meaning they conduct scans monthly or
quarterly).

Just 10 percent of the small companies mentioned that they run VM scans bi-annually a frequency considered to be very low at
the global level. This is in line with the low budget allocation for cybersecurity in India, and small companies are expected to spend
even less on cybersecurity than their medium and large counterparts. The above values also vary depending on the industry.

Almost half of the survey respondents (44.4 percent) from the business and consumer services segment indicated that they use
a variety of different out-of-the-box scan templates based on the use case or need. 45.5 percent of the healthcare companies
reported that they use either a customized and tailored scan template for specific use cases, or a comprehensive scan template
containing all vulnerability detections for all assets. In the financial services and IT sectors, the use of either a customized and
tailored scan template for specific use cases or a comprehensive scan template containing all vulnerability detections for all
assets was high (75 percent and 70.3 percent, respectively). The healthcare sector’s low use of a customized and tailored or
comprehensive template is a shift from the global scenario, where companies in the healthcare sector have already adopted
Overall, it is evident that despite VM being a mature market, its adoption is much lower among small companies and certain
sectors/industries in India. While some small companies have adopted VM, their limited budget, coupled with a weaker
understanding of vulnerability risks, has led to specific challenges. These are: a low frequency of VM scan; adoption of basic
scan templates; and no tie-up with risk rating agencies. All this increases the vulnerability risk.

 ‹Š
6. CONSIDERATIONS WHILE
SELECTING AN RBVM VENDOR
6.1 IMPORTANCE OF A GOOD RISK-BASED VULNERABILITY
MANAGEMENT PROGRAM

Vulnerability management is once again becoming the top security agenda. It is driven by the risks posed by new technologies,
the speed of new threats, and more board attention on cybersecurity. As a result, many organizations are now modernizing their
VM programs. CVSS-based prioritization, blind spots and inflexible reporting are no longer sufficient. Instead, what is needed is
risk-based prioritization, benchmarking, complete visibility, and flexible reporting with powerful APIs.

The importance of vulnerability management and the evolution of risk-based VM - which are fundamental to the discipline of
Cyber Exposure Management - are driving accelerated spending. Here are five key considerations to help you improve the
efficiency and effectiveness of your program today while planning for future needs - as well as critical questions to ask a
prospective vendor.

1. Continuous and complete discovery: For asset discovery and vulnerability assessment, breadth of coverage is essential.
Achieving continuous discovery and complete visibility into your environment is vital for preventing blind spots. To make this
happen, you need a portfolio of data collection technologies purpose-fit to each asset and scenario.
2. Assessment - beyond just running a scan: Assessing assets for vulnerabilities and misconfigurations is no longer about just
running a scan. It’s about using a range of data collection technologies to identify diverse security issues.
3. Advanced prioritization - a game changer for risk reduction: Modern VM solutions analyze a much broader and more
timely set of data than ever before. This exacerbates the problem of vulnerability data overload, increasing the need for effective
prioritization. By leveraging machine learning, advanced solutions can spot hidden patterns in data that correlate with future
threat activity. As a result, you can see which vulnerabilities are predicted to have the highest likelihood of near-term
exploitation. This helps you answer the question: “What’s the actual risk of my vulnerabilities, based on historical trends, current
threat activity and the business value of my assets?”.
4. Flexible, automated reporting and benchmarking: Look for solutions that provide both out-of-the-box reporting for your
most critical questions and easy report customization for meeting the unique needs of teams, business units or compliance
frameworks. You shouldn’t have to export data to Excel every time you want to answer a question or communicate information.
You should also expect a robust and well-documented API, making it possible to automate custom business processes. Lastly,
look for a solution that provides external (peer) benchmarking for metrics like cyber risk, vulnerability age and scan frequency, as
well as internal benchmarking that compares VM program performance and cyber risk across organizational units.

 ‹‹
  „

 ƒƒ


‚

ƒ­

RBVM
program

€­

‚ƒ
 Processes,
People and „„
policies systems
 
and tools ­ 
­



Asset management, strong IT policies and vulnerability management processes

combined with a stable, expert team of people surely helps any organization
put a robust RBVM program in place.

6.2 SELECTING YOUR RBVM VENDOR – IN-HOUSE OR THIRD-PARTY?

More than a third (37 percent) of the companies in our survey stated that they prefer the right blend of in-house and outsourced
services. Large and mid-sized companies also preferred the outsourcing route for key tasks and non-core activities while they
manage the integration. Small companies felt otherwise. They preferred keeping everything in-house; this could mainly be due
to the availability of off-the-shelf SaaS-based products for RBVM and limited budgets.

‘
ƒ   „ •

 


40%
37.4%
36.9%

30% 30%

27.4%
26.5% 25.2%
23.6%

8.3%
6.8%
3.8% 4%

Blended external and Externalize only non-core activities Outsource key tasks and Keep everything in house Fully outsource
internal capabilities manage integration

  

Outsourced vendors and off-the-shelf cloud-based solutions are preferred as they allow the in-house teams to focus on RBVM
and to stay updated with the latest technologies. With third-party tools and access to specialist vendors, the in-house team can
seamlessly carry out the tasks of discovering vulnerabilities, prioritization, timely patch management and reporting, and
communication to the relevant teams, as well as the overall business.

 ‹
7. FOUR BEST PRACTICES FOR AN
EFFECTIVE RBVM PROGRAM

01 Setting aside a budget for risk-based

vulnerability management. This includes
budgets for the team and RBVM related tools
and systems, patching and other remediation
methods.

02
Having a RBVM policy document in place.
This allows the organization to set systematic
standards and procedures that define how
RBVM will be carried out in the organization.

03
Improving the accuracy and regularity of
vulnerability scanning. Implementing scans
weekly (or even daily) rather than once in a
quarter or bi-annually is recommended.

04
Defining a clear remediation process that
establishes specific levels of severity and the
urgency to remediate against the vulnerability,
and the asset priority in a specified timeframe.

“A comprehensive vulnerability assessment program provides organizations with the knowledge, awareness, and risk
background necessary to understand threats to their environment and act accordingly. Real exploits, hackers, security
researchers, bug bounty programs, and product vendors are discovering and reporting new vulnerabilities every moment.
These vulnerabilities are frequently caused by either coding errors or by security misconfigurations. Coding errors, including
the failure to check user input, allow attackers/hackers to improperly access system memory, data, or to execute commands.
It needs commitment from the top management to the bottom level engineer and cybersecurity analyst to do the
assessment and remediation with effective enforcement to protect an organization’s assets and information.”

Navaneethan M, Chief Information Security Officer and Head-IT at PayU

‹

8. SURVEY DESIGN AND
IMPLEMENTATION
This report was commissioned in collaboration with Tenable®. It was designed to assess the maturity of Indian organization’s
vulnerability management practices. Questions were administered to 180 respondents, spanning companies of small, medium
and large sizes. The respondents included leaders and managers involved with security and risk management. The spectrum of
roles included CIOs, COOs, CSO/CISOs, Chief Risk Officers / Chief Compliance Officers, VP IT/Operations, IT Directors, and senior
mid-management level managers and technical leaders.

Designing the questionnaire:

A team of experts from the industry and research was deployed to oversee the survey. Based on the objective set out for this
report, a detailed questionnaire was drafted covering every aspect of the VM lifecycle including discovery (identifying and
mapping every asset); assessing and analyzing vulnerabilities to prioritization; and remediation and measuring it for better
decision making. The questions were scripted in a manner that not only captured the current status of VM in India but also shed
light on how it is being implemented in the organizations. The survey questions were also designed to provide an understanding
of the current VM maturity of respondents. To arrive at the questions, the team reviewed several previous surveys on VM from
leading research firms.

Administering the Survey:

Screener questions with skip logic ensured that the right kind of respondents took the survey. Those whose job functions are
not directly related to VM and those who do not participate in VM decision-making in their organizations were screened out.
The survey was administered to the respondents via a tool, and the survey link was programmed with security measures like
Geo IP, Duplicate IP and termination LOI. Thorough testing was conducted before administering the survey to ensure
comprehensive and secure coverage.
A dedicated panel was set up for data collection and the quota was implemented at job levels and verticals to ensure balanced
bifurcation. Samples were calibrated in real-time, to improve the Input Rate among CXOs for a more accurate outcome.

‘­­ ­

     
IT 23%
2% 6% 19% 39% 16% 18%

FINANCIAL 2 to 99 100 to 499 500 to 999 1,000 to 4,999 5,000 to 19,000 20,000 or more
16%
SERVICES

HEALTHCARE 13%

BUSINESS OR
CONSUMER 11%
SERVICES
  

FINTECH 11%

ELECTRONICS 9%

ADVERTISING OR
6%
MARKETING

 † 
CONSUMER PRODUCT
4%
MANUFACTURING 26% 23% 14% 11% 8% 7% 7% 3%

OTHERS 9% CSO/CISO CIO VP IT COO CHIEF RISK VP OPS IT MANAGER

OFFICER DIRECTOR

 ‹
ACKNOWLEDGEMENT
Special thanks to:
Sameer Ratolikar, Executive Vice President and CISO at HDFC Bank
Navaneethan M, Chief Information Security Officer and Head-IT at PayU

DISCLAIMER
This report primarily contains the results of the survey conducted on the RBVM topic. It represents the view and responses
provided by the survey respondents. It is a simple average of results of the target responses, industries and company size
segments covered in this survey.

The primary and secondary information collected for this report was duly referenced/sourced. While care has been taken to
ensure the information in this report is accurate, DSCI and Tenable® do not accept any liability for any loss arising from reliance
on the information, or from any error or omission, in the report.

Any person relying on this information does so at their own risk. DSCI and Tenable® recommend that individuals exercise skill
and care, including obtaining professional advice, concerning their use of this information for their purposes.

DSCI and Tenable® do not endorse any company or activity referred to in the report, and do not accept responsibility for any
losses suffered in connection with any company or its activities.

 ‹Œ
Tenable® is the Cyber Exposure company. Over 27,000 organizations around the globe rely on Tenable® to understand and
reduce cyber risk. As the creator of Nessus®, Tenable® extended its expertise in vulnerabilities to deliver the world’s first
platform to see and secure any digital asset on any computing platform. Tenable® customers include more than 50 percent of
the Fortune 500, more than 25 percent of the Global 2000 and large government agencies.
https://www.facebook.com/Tenable.Inc
https://www.linkedin.com/company/tenableinc/
@TenableSecurity
https://www.tenable.com/blog

Data Security Council of India (DSCI) is a premier industry body on data protection in India, setup by NASSCOM®, committed
towards making the cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cybersecurity
and privacy. DSCI works together with the Government and their agencies, law enforcement agencies, industry sectors including
IT-BPM, BFSI, CII, Telecom, industry associations, data protection authorities and think-tanks for public advocacy, thought
leadership, capacity building and outreach initiatives. For more information, visit: www.dsci.in

DATA SECURITY COUNCIL OF INDIA

NASSCOM CAMPUS, 3RD FLOOR, Plot. No. 7 – 10, Sector 126, Noida, UP – 201303

For any queries contact:

Ph: +91 – 120 – 4990253 | E: [email protected] | www.dsci.in

dsci.connect | dsci.connect
dscivideo | data-security-council-of-india

All Rights Reserved © DSCI 2019