4 Best Practices for Creating Effective Vulnerability Management Programs

Whether your organization already has a threat and vulnerability management program in place or is considering starting one, vulnerability management is likely to be one of the most challenging aspects of your overall cybersecurity and cyber resilience posture.

Vulnerability management protects critical data, assets and stakeholders by classifying, remediating and mitigating vulnerabilities. Once a catch-all term that included basic patch management and configuration management, an effective vulnerability management program today means holistically addressing vulnerabilities throughout your organization, beyond technology alone.

One of the most common reasons we’ve seen many organizations struggle with effective vulnerability management is because many assume that it’s a hands-off process. Some organizations simply purchase a vulnerability scanning tool, install it, and run scans without a plan or available personnel to manage the findings.

In reality, effective vulnerability management involves more than a set of tools; it means defining and implementing a comprehensive security program built on input and engagement from key players throughout your organization.

Without an effective vulnerability management program in place, your organization is at a higher risk of compromise and significant damage from threats. So, where should you start? Here are four best practices to keep in mind when creating or enhancing your vulnerability management program:

One of the most common reasons we’ve seen many organizations struggle with effective vulnerability management is because many assume that it’s a hands-off process. Some organizations simply purchase a vulnerability scanning tool, install it, and run scans without a plan or available personnel to manage the findings.

In reality, effective vulnerability management involves more than a set of tools; it means defining and implementing a comprehensive security program built on input and engagement from key players throughout your organization.

Without an effective vulnerability management program in place, your organization is at a higher risk of compromise and significant damage from threats. So, where should you start? Here are four best practices to keep in mind when creating or enhancing your vulnerability management program:

1. Establish governance, standards and policies first. The truth is, there is no single vulnerability management tool that will solve all of your organization’s vulnerability challenges. Many organizations purchase one, configure it and begin scanning, then struggle to determine what to do with the data they’ve recorded. Before even purchasing a tool, you need to establish governance, standards and policies among your people, processes and technologies.
   
   After all, even with a robust vulnerability scanning tool in place, your team must know what they’re using the tool to uncover. Start by understanding the systems you have. Determine which metrics you’re recording, which systems to scan, and the metrics that upper leadership needs for reporting. This is the information that vulnerability management analysts need in order to set the scope of your program.
   
   From here, creating a written, defined vulnerability management policy document will help keep the people, processes and technologies of your program accountable and running smoothly. This documentation will also allow analysts to better communicate the performance of your vulnerability management program to senior leadership.
   
   
2. Ensure comprehensive asset inventory. Keeping an accurate asset inventory is essential to identifying which assets require the most protection. This inventory should include a comprehensive list of not only the assets but also their criticality to the organization, the data they store or process and their connectivity within your network. This will help to prioritize appropriate security measures to address these vulnerabilities based on the most crucial priorities within the most crucial assets.
   
   Building an accurate asset inventory that identifies all physical and digital assets in your possession — devices, networks, applications, data repositories and even third-party vendors with access to the organization's systems — is the first step. Utilizing an asset database tool that can be integrated with other tools is an effective way to keep your inventory up to date as new assets are added or old ones are updated.
   
   
3. Streamline your focus and resources based on criticality. Not all vulnerabilities or all assets are created equal, and it's essential to prioritize them based on their severity and impact to the business. An effective vulnerability management program should take a risk-based approach to allocating resources efficiently, focusing on the most critical vulnerabilities first.
   
   Why is this so important?
   
   Let’s say a vulnerability management tool scans your environment and provides a list of vulnerabilities (on a scale of 1-10) that are considered “critical” (8 to 10) and must be addressed immediately.
   
   While it’s possible that the vulnerabilities it’s uncovered are critical, one asset may be an electronic medical record (EMR) system, while the other is a TV system. Obviously, a vulnerability score of 8 on an EMR system is a higher priority than an 8 on a TV system, but without a comprehensive asset inventory that delineates criticality, the tool will prioritize them equally. The same goes for servers — all of your servers may have the same vulnerabilities, but when it comes to prioritization, you’ll want to ensure that you’re spending the bulk of your time addressing the few that are most critical.
   
   It's important for leadership to decide which assets and systems in your environment are most critical in order to understand how to best prioritize your time and resources when securing your environment.
   
   A quantitative risk assessment can help categorize these vulnerabilities based on their severity, potential impact, industry-specific threats and the asset’s criticality while helping to ensure that you’re not spending too much time addressing less critical assets in your environment.
   
   
4. Build a knowledgeable vulnerability management team. An effective vulnerability management program should touch several components of your organization, and bringing these silos together is key to success. Where many organizations go wrong is relying on analysts alone to bridge this gap.
   
   For medium to large organizations, a vulnerability management team should, at minimum, include an analyst and either a dedicated vulnerability management manager or project manager to bridge the gap between the technical work and administrative demands of the program, like presenting metrics to leadership or following up on remediation projects.
   
   Ideally, depending on your organization’s size and goals, this team would also regularly bring together the CISO, information security representatives and security leadership to focus on the most critical priorities and ensure visibility into each area.

One of the reasons that so many organizations struggle with vulnerability management is simply because they’re unsure how to gauge its efficacy. After all, if your vulnerability scanning tool reports that you have few critical gaps remaining, your team may not know whether additional investigations into your systems are necessary. This is where an expert partner with extensive threat and vulnerability management experience can make a major impact.

Take a recent example from one of our clients. This major healthcare organization with an especially large and complex environment had purchased a scanning tool but was unsure what to do with the data it provided. The tool showed that their environment was “low risk” and it was not uncovering new vulnerabilities.

When they called on our vulnerability management experts to design, implement and ultimately manage their vulnerability management program, we quickly discovered that this client was scanning their environment unauthenticated and missing several critical vulnerabilities throughout. After we worked with them to configure authenticated scans, we discovered a slew of critical vulnerabilities.

This led our experts to overhaul this client’s vulnerability management program. Working lockstep with this client, we optimized their scanning tools while developing process documentation to support their ongoing management, improved reporting techniques to measure risk reduction and baselined key metrics for tracking program success and improvement along the way.

Since then, this client has seen dramatic improvements in the KPIs associated with its vulnerability management program, including improved scan coverage from an estimated 60% to 90% and growing, a decrease in vulnerabilities by almost 90%, and a reduction in their remediation turnaround time from several months to just days—lowering their risk and boosting their overall cyber resilience posture.