Posted on May 28, 2020
With threats to data continuing to rise, more regulations and industry standards require “continuous monitoring.” Articles and blog posts remind organizations to mitigate potential risks arising from “vulnerabilities.” Yet, for many people, information security vulnerabilities feel like abstractions rather than tangible action items. To secure data, IT and business leaderships need to speak a common language which includes a shared understanding of what vulnerability management means so that they can work together to protect information.
From a technical perspective, an IT vulnerability is described as a security system’s weakness, flaw, or error that malicious actors can exploit to gain unauthorized access to the system. From a business perspective, IT vulnerabilities are holes in an organization’s IT defenses that give malicious actors a way to get into systems, networks, or software and steal data.
Imagine putting up an electric barbed wire fence around a building with a concrete wall that extends fifty feet below the fence. In theory, a criminal shouldn’t be able to gain access to that building. However, if there’s a hole in either that fence or wall that you don’t know about, then a criminal could get through and steal what you’re trying to protect.
An IT vulnerability is the hole in your security system’s defenses that cyber criminals can find and that give them a way to steal information.
Again, from a technical standpoint, the National Institute of Information Technology (NIST) defines vulnerability management as a process that focuses on “enumerating platforms, software flaws, and improper configurations; formatting/and making transparent checklists and test procedures; and measuring vulnerability impact.” In non-technical terms, the NIST Cybersecurity Framework definition of vulnerability management is creating a set of processes that help identify and catalogue all weaknesses in your software, systems, and networks then use tracking methods and tests to measure the potential security impact.
Vulnerability management directly aligns to organizational information security and privacy initiatives as well as compliance mandates. At their core, all three require organizations to identify, assess, and analyze cybersecurity risks to determine the potential negative impact to reputation and financial stability. Vulnerability management is the technical side of that analysis.
Vulnerability management is a proactive cybersecurity process that organizations can use to prevent cyber attackers from taking advantage of the weaknesses, or holes, in security systems and mitigate the risk of a data breach.
For example, patch management is a fundamental tenet of vulnerability management. When software providers learn about vulnerabilities in their code, they update their software to close the holes and prevent cyber attacks. Then they push the software patches out to their customers who need to install them. While fixing the tools is the provider’s responsibility, updating the software is the organization’s responsibility. Therefore, your patching cadence, or how often you install security patches, is a part of your vulnerability management program that reduces the risk of a data breach.
Ensuring that you proactively respond to new weaknesses in your IT ecosystem, however, can be difficult as your organization adds more third-party business partners.
Developing and implementing a vulnerability management strategy means understanding not just your organization’s systems, networks, and on-premises software deployments but also the interconnected cloud services providers used.
Your vulnerability management process needs to be aligned to your organization’s IT and business objectives. As part of this process, you need to create a team of stakeholders across the organization. Working together, the team should determine the strategy’s scope, assessment methods, and responsible parties.
After establishing the strategy, you need to create an actionable plan with rules and guidelines. All responsible parties need to know your expectations and the resources you will make available to them. As part of the planning phase, you should:
Implementing the strategy requires you to bring together the assessment and planning activities as action items for the responsible parties. Additionally, you should be tracking discovered vulnerabilities, improving data collection, and ensuring alignment with your risk management process.
At minimum, your implementation should:
While identifying vulnerabilities is important, ensuring continuous improvement also matters. You need to be able to ensure that your vulnerability management plan is appropriately comprehensive and having the necessary impact on your ability to secure information.
At minimum, you should include metrics and assessment of:
SecurityScorecard’s security ratings platform provides continuous monitoring over its customers’ IT ecosystems, alerting them to potential vulnerabilities and providing actionable remediation suggestions. Our platform scans publicly available information across ten risk factors including IP reputation, DNS health, network security, endpoint security, web application security, patching cadence, information leaks, hacker chatter, and social engineering.
SecurityScorecard’s platform uses an A through F rating scale that offers an easy-to-read visualization of an organization’s security posture. The lower the score, the more vulnerabilities that the platform is detecting. The higher the score, the fewer the vulnerabilities. By continuously monitoring your ecosystem for new control weaknesses, you can evolve your vulnerability management strategy.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.