Vulnerability Management Maturity Part Four: First Came the Sprint, Now the Marathon.
Share with Your Network
So there you are, the head of a successful vulnerability management program that has driven your company’s risk scores to a level that is both manageable and acceptable.
It’s been smooth sailing for the past year, and the days of chaos are but a memory. And then all of the sudden, the risk score jumps.
What happened?
One thing is for sure: your organization didn’t change. The outside world did.
Welcome to the final stage of a modern vulnerability management maturity.
A recap of the journey so far
In three earlier parts of this series, we’ve discussed a state of chaos that all organizations face at the beginning of the vulnerability management journey. Most organizations are trying to tackle an impossible number of vulnerabilities without the tools or the data to meaningfully reduce risk. They use CVSS as a proxy for danger, when that score wasn’t built for that. And there are widespread arguments between IT operations and security over which issues to patch first, and how much time to devote to patching.
In the third state of vulnerability management maturity, your organization has begun using a tool – preferably Kenna.VM – that harnesses machine learning and big data analytics to identify the vulnerabilities that pose the most significant risk to your organization. Your organization is not only prioritizing the riskiest vulnerabilities, but identifying those that are likely to become dangerous in the future. You are slightly ahead of the curve, and your risk score reflects that. Even more, IT and security are getting along, because there’s no real argument over which mitigation measures you need to take. The data is there, and it’s not really up for debate.
Re-align to remediation velocity
Now, in the fourth and final stage, managers need to re-align their thinking, away from risk scores and toward a new idea: remediation velocity.
Here’s the idea: new vulnerabilities pop up every day. Most are harmless. Occasionally, something really dangerous is released into the wild. It doesn’t happen often, but we see it. Many recent examples stem from the release of vulnerabilities that are easily exploitable or already have exploits available.
The best cybersecurity teams in the world are still only playing defense. They can’t control what malicious actors do.
And so, every once in a while, the scores jump. It’s nobody’s fault.
Risk-based SLAs
But you are responsible for how your organization reacts to these situations. That’s the thinking behind Kenna’s new risk-based SLAs. Risk-based SLAs enable organizations to use data to establish an appropriate speed of response to new, high-risk vulnerabilities.
These appetites for risk are divided into three categories. The first is for companies that are content to be as fast as their peers. The second is for companies that want to be leaders in their sector. The third is for organizations with the least tolerance for risk, companies that want their remediation strategies to exceed the speed of threat actors’ ability to weaponize vulnerabilities.
Our research backs up the idea that SLAs are an important contributor to maturity and effectiveness. Programs that set firm remediation deadlines for high-risk vulnerabilities, tend to patch them faster.
The fourth stage of a mature vulnerability management program is marked by a couple of characteristics: in most cases, IT operations can serve themselves. Security teams focus on reporting, oversight of mitigation efforts, and handling exceptions. Incentives also shift to include SLAs and overall risk scores.
Mature vulnerability management programs are stable and enduring. Because of this, the methods and metrics for evaluating the programs shift. But whatever stage your program is in, success – and sanity – are possible.
To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.
