Last updated at Fri, 27 Oct 2023 23:16:46 GMT

The ultimate goal of a vulnerability risk management (VRM) solution is to reduce risk in your organization by providing visibility, assessment, prioritization, and remediation capabilities. But how do you know if the solution can actually deliver in these areas and how your company will ultimately benefit?

To start, there are seven key criteria you should consider when picking and measuring the efficacy of a vulnerability management solution:

  1. Visibility of your complete IT environment: Ensure the VRM solution can cover your entire attack surface (on-premises, remote, cloud, virtual, containerized, etc.) and even external-facing assets you may not even know exist.
  2. Prioritization of your business: A good VRM product should prioritize risk based on its potential impact to your organization and what attackers are actively doing in the wild. It should factor in not only the CVSS score, but also malware and exploit exposure, exploitability, vulnerability age, as well as risk to the most critical assets in your organization.
  3. Extensibility and integration: Your security stack should be more powerful than the sum of its parts. The way to do this is by being able to integrate, orchestrate, and automate across your tech stack to simplify your workload.
  4. Reporting for the progress that matters most: It can greatly benefit your organization when you use a VRM product that can make and track progress toward your goals and SLAs and maintain compliance. It should also offer reporting capabilities to easily demonstrate this and meet the needs of both the security team and leadership.
  5. Simple pricing: Pricing should be simple, predictable, and scalable, meaning that as your organization scales, pricing should scale appropriately.
  6. Commitment to service and success: It’s important to know that your VRM solution’s uptime is a guarantee and that the provider offers full transparency on its SLAs.
  7. A unified security platform: Today’s threat landscape requires purposeful solutions that work together, which is why you want a security partner that works with you to achieve your overall security goals. Proven ROI: A good VRM product should be able to clearly illustrate proven ROI so you know it’s worthwhile.

Forrester conducted in-depth interviews with each organization to discuss the four factors that determine whether a VRM solution will be ROI positive:

  • Benefits: Was there a decrease in manual effort and time required to investigate and remediate vulnerabilities, patch, etc.?
  • Cost: What were the licensing, training, onboarding, and professional services costs?
  • Flexibility: Were there any other beneficial ways in which to leverage the product?
  • Risk: What was the likelihood the projected benefits would meet original expectations?

Based on these interviews, Forrester created a composite organization made up of the key characteristics of the organizations interviewed. It then constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the model based on certain issues or concerns of the interviewed organizations.

Key findings

Let’s dive into Forrester’s ROI findings. The TEI study was able to prove an ROI of 342% when using InsightVM over three years, with a payback period of under six months. Its ROI calculation is based on a cost-benefit analysis that highlighted the following findings:

1. Reduction in false positives

Forrester calculated a 22% reduction in false positives using InsightVM, which equated to significant savings in manual resources and time.

2. Reduction in investigation efforts

Forrester calculated a 33% reduction in the investigation process due to InsightVM’s reporting capabilities and actionable insights that enable organizations to make progress faster.

3. Reduction in patching efforts

Forrester calculated a 60% reduction in the patching process due to InsightVM’s automation and workflows, enabling customers to streamline work and save time.

4. Cost savings

Forrester discovered that InsightVM customers were able to avoid potential incidents and associated costs, resulting in a $2.3M savings over three years.

The director of infosec for one of the healthcare organizations interviewed reported, “InsightVM really reduces the amount of work that my team has to do. Before, a lot of it was working with application and server owners to provide them reports, then do the scans, etc.—it was a major time sink. Now the platform is mostly self-service giving infosec hours back that we can apply elsewhere.”

If you are interested in seeing how InsightVM can help you achieve similar results, sign up for a free trial or demo today.

The Total Economic Impact™ Of Rapid7 InsightVM, a November 2019 commissioned study conducted by Forrester Consulting on behalf of Rapid7.