A lot has changed since the last Forrester Wave™ evaluation on vulnerability risk management (VRM) in 2019. Since then, the VRM market has experienced several mergers, an unprecedented increase in volume of common vulnerabilities and exposure, and vulnerabilities such as Log4j that will forever live in infamy (and responder nightmares). All these factors mean that VRM solutions look very different than they did in 2019. The norm for VRM vendors in 2023 is integrating data from third-party sources and having an asset-centric approach to managing vulnerabilities. VRM solutions also play a bigger role in breach prevention by expanding the definitions of vulnerabilities for any weakness that could lead to a breach.

This year’s VRM Wave process (which included reference customer interviews, executive briefings, and VRM vendor demos) identified these key trends currently driving the VRM market:

  • Organizations want asset visibility and their associated vulnerability risk. All solutions in our evaluation provide some form of risk scoring with objectives to provide an asset-centric approach. Organizations should consider what assets are in scope for their VRM program and ensure that their VRM vendor can support them. Some reference customers use different solutions for different asset types, while others prefer an all-in-one solution that can ingest, deduplicate, and correlate on an array of asset types, from operational technology to cloud workloads.
  • Remediation prioritization is core. We saw the most differentiation around prioritization, with vendors typically finding their own niche for prioritization criteria, ranging from threat intelligence to asset contextualization and compensating controls. Organizations seeking a VRM solution should determine which prioritization inputs are most important for them, if they need customized risk scores within the VRM solution, or if they can use the vendor’s out-of-the-box risk score.
  • Vulnerability response is also essential. All vendors in the evaluation support IT service management integrations, which seems to be the most-preferred method for managing vulnerability responses. Differentiation came down to the automation of the response and the degree of customizability in the response efforts. Organizations should also look for solutions that assist with emergency and celebrity vulnerability response. Regardless of if a vulnerability is overhyped, if it is making headlines, you typically still need to track and report on it. And emergency vulnerability response features can make the difference between a breach or non-event.

I encourage Forrester clients to read The Forrester Wave™: Vulnerability Risk Management, Q3 2023. If you are interested in talking about VRM providers, or the people and processes supporting them, please schedule an inquiry with me.