November 1, 2016 By Vinaykumar Sukumar 2 min read

Vulnerability assessment and management is one of the essential functions of any enterprise security program. It is so critical that it can make or break the security of an organization. Before we explore the nuances of what constitutes an effective vulnerability management program, it is important to understand what we mean by vulnerability management.

The term vulnerability management itself represents a misguided vision of how vulnerabilities are handled in a security program. A vulnerability is nothing but a weakness on a system that can be exploited by malicious outsiders. These vulnerabilities need to be remediated, not simply managed. Plugging them would eradicate 90 percent of your security concerns. So then what is the problem?

Too Many Assets, Too Little Time

If you are remotely interested in enterprise security, you already know the problem: There are millions of assets to assess, report on and remediate. The process is time consuming, repetitive and uncertain to actually solve any problems. You might believe it is working until a breach rocks your boat.

Can we remediate all these vulnerabilities? Not just yet — you would never be able to get to all of them in time. This is when most people start managing vulnerabilities. Manage which assets need to be scanned first, determine if the discovered vulnerabilities are accurate, create reports, determine which ones need to be remediated first and continue the process. The problem with this is that it’s easy to lose sight of the end goal: security.

Risk and Vulnerability Management

If we step back, we’ll see that we are really trying to minimize the risk factor by eliminating vulnerabilities that could lead to potential exploits. But the mere existence of a vulnerability doesn’t constitute risk. Risk is the combination of a vulnerability, access to that vulnerability, the ability to exploit it and, most importantly, something of value that could be extracted.

Unfortunately, many vulnerability management efforts tend to revolve around scanning and patching, while risk assessment and management is ignored. Risk management puts the vulnerability in context within the IT environment and helps security professionals understand if a particular risk is really something they should prioritize over other issues. Often it can be mitigated through other means, such as updating relevant firewall rules, changing application configuration or patching network layer to block a vulnerability for a large set of assets.

It’s safe to say that risk management is a common need among enterprise security programs. To implement an effective risk management approach, IT teams must first have:

  • An accurate and efficient vulnerability assessment tool;
  • An understanding of which assets and information are most important to the organization;
  • Knowledge of the network topology for visibility into how an attack would spread;
  • Current asset information;
  • Visibility into suspect behavior and activities;
  • Updates on the latest vulnerability disclosures;
  • Understanding of key stakeholders, such security officers, vulnerability engineers, asset owners and IT engineers;
  • Buy-in and participation from executives; and
  • Communication, communication and communication!

What Does It Take?

This is not an exhaustive list, but it should show you that it takes more than a scanning engine and a patch management solution to run an effective security program. You can’t buy it in a box: It takes tools, people, processes, expertise and investment to have a meaningful solution. It takes a program with active participation from people across security and IT operations. It also takes visibility and an understanding of known vulnerabilities in context with your environment.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today