Managing vulnerabilities and ensuring patches are available protects the end-users and helps to ensure security is applied across the whole lifecycle of any product. Enisa found that for 46 % of organisations surveyed in 2022 it takes more than 1 month to patch critical vulnerabilities. Improving interoperability, automation and streamlined processes in order to exchange information can go a long way towards ensuring vulnerability disclosure. At the same time, vendors need to have the appropriate tools, processes and people in place to implement secure-by-design practices in order to reduce the risk for users, whereas organisations are responsible to reduce the time between the disclosure of vulnerabilities and their remediation by enabling tooling for automated vulnerability information sharing.
Notification isn’t available for free, only being hacked is. Which state of service do all NIS2 companies require? I believe that as one of the leading Cybersecurity providers, Orange Cyberdefense has set a baseline that can be replicated by others.
Source: Cybersecurity Investment: Spotlight on Vulnerability Management — ENISA (europa.eu)
Orange Cyberdefense counters this problem by providing their (i)Soc customers a direct alert, as can be read about here:
vulnerability-management (orangecyberdefense.com)
A report can be found here:
https://www.orangecyberdefense.com/global/security-navigator
