The Maturity of Vulnerability Management Matters

If you work in cybersecurity at a typical mid-market company, you probably cringe when you hear the term “vulnerability management.” Let me see if I can guess how the workflow goes for you:

1. Someone uses a scanning tool to scan as many assets across your network as you know about.
2. The output gets exported to a spreadsheet.
3. The spreadsheet is sorted by “criticality.”
4. Various department or organization heads receive line-items they are responsible for patching with little context on why.
5. You wait a week or so, then repeat the process.

How close did I get?

The various pieces of your cybersecurity strategy are programs in themselves, which means we can measure them for maturity. The problem is that mid-market companies seldom have the time or resources, not to mention the capital, to execute a full-scale program. That approach ultimately leads to a “just-do-something” execution of cybersecurity, and things get complicated.

Some hallmarks help me determine what level of maturity an organization has attained. Here are just a few:

1. Strategy: How an organization thinks about vulnerability management and whether it’s truly managing vulnerabilities or simply trying to play whack-a-mole is telling. Managing vulnerabilities means a lifecycle approach and understanding that once they’re discovered, vulnerabilities can have one of three fates:
   1. Remediate – simply put, apply the fix or patch.
   2. Defer – push the fix until a later point in time such as when the system is retired shortly.
   3. Accept – accept that the vulnerability will not be fixed, and alternative accommodation needs to be made.
2. Execution Discipline: Understanding the discipline with which an organization executes the tasks of a vulnerability-management program says a lot. Are there change controls? Is the process well-documented and universally accepted across the organization? Does the program include all of the organization’s assets? These and more are important questions to consider. As an organization matures, execution will be more repeatable and predictable.
3. Follow-through: Few things are more important than following through. It makes no sense to scan, notify, but then do nothing but wait for someone else to do something. As an organization matures it will learn to not only notify but report, and follow-through on impacting positive change.

All this said the important thing is to figure out how your organization ranks, and what your real level of maturity is. There is no universal answer to what maturity level your particular organization should be at. But knowing is a critical first step.