Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
Security teams are scrambling to keep up with the ever-greater volume and sophistication of threats, with the active and continual exploitation of CVEs (Common Vulnerabilities and Exposures) having become the source of major headaches.
In November, the European Union Agency for Cybersecurity (ENISA) announced that it would be stepping up its role in vulnerability management – a strategic decision in response to the consistent increase in CVEs. Indeed, data from CVE.org shows a 38% uptick from 2023 to 2024, and a further 22% increase in the first three quarters of 2025.
In real terms, hundreds of new CVEs are now emerging every day, with attackers racing to exploit them before security teams can react. Alarmingly, almost a third of all exploited vulnerabilities were exploited on, or even before, the date they were publicly disclosed. The challenge is clear. According to the latest Verizon Data Breach Investigations Report (DBIR), exploitation of vulnerabilities now accounts for 20% of all breaches, with high-profile incidents having emerged through 2025. That includes the exploitation of several Microsoft SharePoint vulnerabilities by Chinese-affiliated actors deploying the Warlock ransomware, where more than 400 organisations – including the US National Nuclear Security Administration – were impacted.
CVE volumes are leading to burnout in 38% of security teams
For security teams, the task of remediating an overwhelming number of new daily vulnerabilities at speed has become nothing short of an uphill battle. According to Hackuity research, nearly half (46%) of IT security decision-makers say that the growing volume of CVEs has placed additional strain on their security teams’ resources, impacting not only organisational security but also staff wellbeing. More than a third (38%) state that it has led to burnout with their teams.
That impact is having serious knock-on effects, with one in four respondents admitting that the pressures of the job have contributed to a data breach, while 36%, report it has resulted in regulatory fines. More than a third have also said that it has delayed incident response, while 33% report missed security alerts as a result.
The nonstop flood of alerts isn’t just stressful. It’s also costly. Clearly, the pressures facing security teams that are struggling to cope with the growing volume of vulnerabilities can lead to severe consequences.
That needs to change, and there are gaps that can be bridged. While most organisations (77%) report that they have formalised vulnerability remediation processes in place for identifying vulnerabilities, only 36% use a risk-based approach as their primary method, where vulnerabilities are based on asset criticality‚ exploitability and business impact.
There’s also work to do in moving vulnerability management up the priority list, with 60% of respondents to Hackuity’s survey reporting that it doesn’t receive the same focus as other IT security projects.
The need to embrace risk-based prioritisation
With CVEs firmly in the sights of threat actors, and security teams buckling under the pressure, organisations need to take a different approach – one in which teams are properly equipped and supported, ensuring that they are well placed to keep pace with the rising volume and complexity of vulnerabilities.
That strategy needs to start with a Vulnerability Operations Centre (VOC) that acts as a centralised control point for all vulnerability management operations. Within a VOC, all data feeds and alerts – from public databases and vendor advisories to threat intelligence – can be consolidated into a single, comprehensive, real-time view of risks.
From there, automation can be incorporated to help quickly assess context and evaluate the potential business impact of vulnerabilities. When a new zero-day then emerges, the VOC can be used to show security teams exactly which systems might be impacted.
This approach can provide the basis for a logical, risk-based approach to vulnerability management.
It’s important to acknowledge that there are simply too many new CVEs emerging on a daily basis. It’s not realistic to treat every CVE with urgency – even the most sophisticated vulnerability management teams will struggle to handle them all at speed. That kind of strategy will only further compound the stresses faced by security teams which may lead to major slip ups, such as missing the most serious vulnerabilities.
Instead, teams need to consider the potential implications that each CVE might have for their organisation specifically, assessing which assets are at risk, how exposed they are, and considering whether there is any evidence of exploitation.
That organisation-specific approach should be the bedrock of risk-based CVE management. While a high-scoring vulnerability on an isolated test system may not require immediate attention, a mid-severity flaw on a payments system will.
The goal is to ease the burdens on security teams by providing them with the insights, technologies and tools to turn vulnerability management from a frantic firefight into a logical, coordinated process of systematic responses.
That is needed now more than ever. The flood of CVEs is only set to continue to rise moving forward. With the modernised VOCs underpinned by enriched intelligence and risk-based prioritisation, teams will move from simply trying to keep their head above water to rowing effectively against an increasingly strong tide.
