Launching a Vulnerability Management Program
Launching a vulnerability management program requires a few methodical steps
When President Biden’s executive order shone a light on the need to modernize and strengthen cybersecurity at the federal level, that arguably lit a fire under private sector organizations to execute a vulnerability management program.
No one denies the importance of a vulnerability management program to establish processes and controls to identify and remediate known vulnerabilities before they are exploited. Having a program in place will also help regulated industries stay in compliance with requirements.
Yet, some organizations lack a formal vulnerability management program—a 2020 survey from the SANS Institute found that 24% have only an informal program.
The trick is figuring out how to put a program together. Good security hygiene is a key part of a vulnerability management program, but many organizations don’t know where to begin.
Getting Started With a Vulnerability Management Program
There are a number of steps involved, but first and foremost, an organization must decide what level of risk tolerance it is willing to accept. This is critical for effective prioritization and it will, of course, vary by company. Your risk appetite might be influenced by your industry or specific company guidelines.
Once you make that determination, you need to assemble a team to then identify/inventory your technology environment. This includes endpoints, systems, networks, cloud services, SaaS apps, and open source elements. The team will be tasked with identifying, tracking and assessing vulnerabilities across the environment.
You must also acquire the right scanning tools to unearth and then patch and remediate the vulnerabilities. This is also an important opportunity for continuous improvement and learning how to instill a culture of vulnerability management into your organization, observes Tom Blauvelt, vice president of solution architecture at Rezilion. Then it’s time to evaluate and prioritize the vulnerabilities that have been discovered. After all, you won’t be able to find or fix every vulnerability. Trying to do so will have a severe impact on time management, human resources and cost. And sometimes, the cost of fixing the vulnerability is significantly greater than the cost an organization will incur if the vulnerability were to be exploited.
Establishing metrics and key performance indicators will help you prioritize—such as time to detect, time to repair, and the percentage of critical vulnerabilities that were remediated on time. This will enable the team to measure the current state and track improvement.
After remediation, you’ll need to test and record the results. This is another critical step because if an attack is ongoing, you can refer back to your patch records and develop a better response strategy.
Further, if your industry must comply with regulations, having a record of vulnerabilities is proof of your accountability. So make sure you use a system that can customize your reports. Look for a platform with functionality to integrate with ticketing systems and the ability to develop metrics and custom dashboards. This will give key stakeholders a constant view of your team’s risk management progress.
Vulnerability Reporting Should Be Simple and Intuitive
Vulnerability management systems provide risk ratings and scores for vulnerabilities, such as the Common Vulnerability Scoring System (CVSS). But the CVSS does not provide enough useful context for most organizations. Seek vulnerability management tools that will give you information on the exploitability of a vulnerability based on your own unique environment so you can prioritize remediation accordingly.
Developing an effective vulnerability management program can take some time, and it’s a good idea to keep the process fluid for continuous improvement and enhancements.
To learn more on getting started, read Rezilion’s Guide to Launching a Vulnerability Management Program.