A Stockphoto - stock.adobe.com


How to build a better vulnerability management program

With a vulnerability management program in place, your organization is better equipped to identify and mitigate security vulnerabilities in people, processes and technologies.

Vulnerability management is one of the biggest cybersecurity challenges for an organization. Over the past 20 years, vulnerability management expanded from basic patch management to include configuration management. Today, a unified vulnerability management program is required to address all types of cybersecurity vulnerabilities -- in people, processes and technology.

Without an effective and efficient vulnerability management program in place, organizations are at a higher risk of compromise and significant damage.

Let's look at how to improve your organization's vulnerability management, whether it already has a vulnerability management program or is thinking about starting one. The following five steps are key to building a better vulnerability management program.

1. Determine which vulnerability types are in scope

While patch management and configuration management are the core of most programs, it is beneficial to have a holistic approach that encompasses every vulnerability type. This includes ensuring the organization's systems, services and internally developed software are secure by design and by default. Additionally, organizations should proactively plan how to address future vulnerabilities in technologies reaching end of life and losing vendor support.

2. Know your technology assets

Asset management continues to be a major challenge for most organizations. The number and variety of physical and virtual technologies in use are skyrocketing, especially with so many people independently acquiring and using cloud-based services and other unofficial technologies -- known as shadow IT. Improving asset inventory capabilities helps support and improve vulnerability management programs.

3. Establish continuous processes for all vulnerability management

Multiple vulnerability management methodologies and lifecycles exist, which all include the following:

  • Identifying vulnerabilities.
  • Assessing their risk.
  • Determining how to address vulnerabilities.
  • Executing planned actions.
  • Confirming vulnerabilities are addressed.

Following a consistent process for all vulnerability types helps ensure an organization's highest-risk vulnerabilities are always known and no category is overlooked. Note that not every vulnerability needs to be eliminated. For some vulnerabilities, risk can be sufficiently mitigated through compensating controls, such as isolating vulnerable assets on specially protected network segments.

4. Implement technologies to automatically identify new vulnerabilities

The days of relying primarily on vulnerability scanning are long gone. While scanning is still useful, it's one of dozens of methods for vulnerability identification. Survey your operations to see where else you are already collecting information about vulnerabilities. Moreover, build a culture of continuous improvement, not only for technologies, but also for people and processes -- they have vulnerabilities, too.

5. Rely on automated decision-making

The key to keeping up with vulnerabilities is to plan actions ahead of time and to then use technologies to gather the necessary information on each vulnerability and automatically select and initiate the appropriate action.

Work to change perceptions that vulnerability management is unnecessary and disruptive. Instead, frame vulnerability management as a form of preventive maintenance that helps handle big problems in the future by addressing their root causes now. NIST's patch management guidance endorses the preventive maintenance viewpoint, indicating that patch management, configuration management and other components of vulnerability management are necessary costs of using technology.

Next Steps

Benefits of risk-based vulnerability management over legacy VM

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing