What makes a vulnerability management program great
Just about every organization uses multiple projects and programs to manage its business. Typically, a cybersecurity project focuses on a specific problem and set of short-term deliverables. The cybersecurity program, on the other hand, consists of multiple related projects addressing cybersecurity challenges that can have wide-ranging effects across the enterprise. While the project is designed to address a discrete challenge, the program is designed to push the organization forward on high-level strategies, goals, and directives.
In terms of vulnerability management, we often see the application of individual vulnerability scanners and projects in various parts of an organization. But the truly effective vulnerability management program operates at a higher level.
An effective vulnerability management program continually monitors, analyzes, and assesses risk, wrapping its arms around security weaknesses and shining a light on exposures that can negatively impact the enterprise.
With this expanded scope and visibility, the vulnerability management program needs to be supported from the C-Suite down, aligned with high-level strategies, and integrated with core elements of the business. The program should also include a steering committee that draws members from all parts of the organization, to ensure cross functional support and alignment. A well-run vulnerability management program is the foundation that supports the organization’s cybersecurity posture, agility, and cyber-resilience. It is also the infrastructure that makes truly great vulnerability management possible.
“Security-smart organizations have gone well beyond thinking just in terms of assessing and addressing vulnerability—now vulnerability management is a cornerstone of their corporate security, risk, and compliance programs.” – CSO Online
Four key elements in a vulnerability management program and how they work together
So what are the key elements in a “great” vulnerability management program and how do they work together?
1. Vulnerability Assessment (weaknesses, risks, and exposures)
Effective vulnerability management starts with your ability to assess vulnerabilities. An effective vulnerability assessment program gives your organization the tools needed to understand its security weaknesses, assess the risks associated with those weaknesses, and put protections in place that reduce the likelihood of a breach. Conducted on a regular basis, these vulnerability assessments identify hazards, assess the likelihood of a security failure, and help you focus scarce resources on those things that matter most.
2. Vulnerability Management Tools (vulnerability scanners, deep learning, and AI)
As our understanding of security risk has matured, so have vulnerability management tools, which now support a continuous enterprise-wide lifecycle of vulnerability discovery, remediation, and reporting.
“A full-featured vulnerability management product or suite of products must be able to support, at minimum, a repeatable lifecycle of asset discovery and enumeration, vulnerability detection, risk assessment, configuration compliance assessment, change management and remediation, verification, and auditing and reporting.” CSO Online
Vulnerability scanning tools are the backbone of every vulnerability management program. They don’t just perform vulnerability and error detection; they also help with risk assessment based on the severity of the threat and the value of the vulnerable system to the organization. After remediation, re-scans will tell you if corrective actions have been successful (that is, a patch has been successfully applied or the configuration error corrected).
It’s also worth noting that while machine learning and AI are emerging technologies that can be applied to nearly every sector, there are many fields that are either reaping the benefits of AI right now or that soon will be and cybersecurity is one of them. Because of the unique challenges that cybersecurity presents (vast attack surface, hundreds of attack vectors, thousands of devices, masses of data), artificial intelligence and autonomous systems can often automate threat detection and respond more efficiently than traditional software-driven approaches are equipped to do.
3. Integration and Alignment (systems, processes, key stakeholders)
Vulnerability management is a top enterprise-wide priority, and as such, your vulnerability management program needs to be tightly integrated with your organization’s business-critical systems and processes. It needs to tie to vulnerability databases and also align with key stakeholders across the organization (not just in IT and infosec), as well as compliance and regulatory requirements. Risks can be lurking anywhere, so risk management needs to “have eyes and ears” covering the entire vulnerability landscape.
4. Agility (cyber-resilience and scale)
IT security is always going to be a moving target, which makes agility, cyber-resilience, and scale all major considerations. Is your vulnerability management program agile enough to keep your organization safe? Does it take into account business criticality and context? Do your security systems and related processes scale to meet an ever-evolving threat landscape? Are you cyber-resilient?
The number of IT assets that companies have in place is only going in one direction – up. More endpoint devices, servers, and applications are continually being added to the environment, and this puts increasing demands on IT to keep everything up to date. As the number of known vulnerabilities continues to rise, the amount of time between vulnerabilities being discovered and exploits is dropping. It becomes increasingly difficult to manage vulnerabilities effectively when there are hundreds, thousands, or even millions of assets to consider and very short windows of time to respond.
How to achieve best-in-class status for your vulnerability management programs
When it comes to vulnerability management, it’s important to aim high. Because the stakes are so critical, OK is not good enough; your vulnerability management program needs to strive for best in class.
As you architect your vulnerability management program, remember these key elements:
- Scope (what does it cover)
- Strategic importance (from C-suite down)
- Integration (with other key systems, stakeholders, and processes)
Once you’ve gotten that right, “the devil is in the details.” Ongoing vigilance (vulnerability scanning, mitigation, re-scanning) helps you stay ahead of emerging threats. Integration and discipline (well-defined and strongly enforced) help you sustain a strong security posture over time. And AI/machine learning can help you make sense of large amounts of data to obtain relevant insights, elevating your program to a whole new level.
The most successful programs manage to thread the needle between the big picture (enterprise-wide security) and every relevant detail (systems, organizations, processes) – detecting security issues and software vulnerabilities that can lead to exploitation and mitigating risk across the enterprise infrastructure.