How to Improve Your Vulnerability Management Program

January 19, 2021 | By IANS Faculty

The best way to grow and improve a vulnerability management program is to acknowledge the current gaps, determine a more ideal state to aim for, and then take the necessary steps to see the improvements through. Getting better requires better information in terms of risk insight and having the right people on board to make better decisions. This piece guides you through the process of fine-tuning, even a more mature, vulnerability management program.

Build an Effective Vulnerability Management Program

Taking into consideration your current state, the best way to build out an effective vulnerability management program requires:

Focusing on risks vs. number of vulnerabilities. If vulnerability scans are not performed correctly or adequately, and it’s common to see very little context placed around the vulnerabilities uncovered. Such an approach to vulnerability management can lead to security findings that are treated the same way across the board – but not every system is the same, nor should they all be treated that way. Doing so could set an organization up for failure in terms of trying to “fix” everything. Rather, consider a move to more of a risk-based approach to vulnerability management, in which the most critical risks/vulnerabilities are understood within the context of the organization and are patched first.

Using agents to ensure the mobile workforce is covered. Given the new mobile workforce challenges, moving away from traditional vulnerability scans and leveraging agents is becoming more popular. Some might see yet another agent as burdensome to users or risky in the event users are able to disable the software. With today’s more powerful hardware and more limited-trust endpoint security capabilities, these concerns are negligible.

Streamlining your toolset. Dealing with multiple tools to gather vulnerability information on endpoints could potentially increase complexity, but it can also generate a skewed sense of security unless both tools are providing the exact same information on system vulnerabilities, which is likely not the case.

Getting proper governance in place. Having more – and better – information to take to management about active threats, confirmed vulnerabilities and tangible business risks is key. These executives or an IT/security governance committee can help to create the standards by which technical staff determine how and where to focus their efforts, especially as it relates to prioritization. If concerns are raised regarding who should be responsible for both vulnerability management and patch management, it really comes down to business preference and, specifically, culture and politics.

Taking it one step at a time. Integrating the findings from the application side is not going to be simple. The vulnerabilities are different. The approaches to remediation are different. The teams to deal with are different. That’s not to say that having application security under the same vulnerability management umbrella can’t work. It can. Consider not doing it all at once. Try getting infrastructure vulnerability management under control first and then moving on to application vulnerabilities – or vice versa, depending on criticality and preference.

Additional Considerations for Vulnerability Management Programs

Standardization is critical. So is keeping things as simple as possible. Depending on the size of the business and how much you’re spending with vendors, you might have leverage to bring such vendors on board and have them help with integrating their tools to meet specific vulnerability management needs. Some specific areas to focus on include:

Asset classification. Determine which hosts, applications and data are most important to the business. This alone will provide guidance on where security testing and remediation work needs to be focused.

Vulnerability Management Metrics. Common vulnerability management metrics involving both infrastructure hosts and applications include:

  • Initial number of vulnerabilities
  • Repeat findings
  • Confirmation via threat intelligence feeds
  • CVSS scores
  • Level of tangible risks being found
  • Vulnerabilities over 90 days old
  • Criticality of asset
  • Location of asset (external network or internal network)
  • Exploitability (if internal resources permit, perhaps tools such as Metasploit and Burp Suite can be used to demonstrate the flaws)
  • Patch availability
  • Time needed to patch
  • Time taken to patch

Prioritization. Determine how vulnerabilities and quantifiable risks are prioritized. Does each vulnerability translate into business risk, or are some vulnerabilities riskier than others when considered against your specific environment and business goals?

Patch management. How does vulnerability identification and prioritization fit in with current patch management standards? If vulnerabilities considered critical or high are identified, do the current business workflows and resources support getting patches applied or compensating controls implemented within reasonable timeframes, e.g., 15-30 days?

Vulnerability management requires both good people and good information – tangible insight that clearly shows where the problems lie and what the solutions need to be.

Vulnerability management across a large network environment is one of the greatest challenges in managing an information security program. At the heart of all this, the real question is: Where are IT resource hours best spent to minimize vulnerabilities/risks and maximize positive outcomes?

Vulnerability Management Best Practices

Ensuring every decision is made with the Pareto principle (also known as the 80/20 rule) in mind. This lets the team focus on the relatively small number of vulnerabilities across the most critical systems that are creating the greatest number of business risks.

Getting buy-in from stakeholders and leadership. Those responsible for information security and, specifically, vulnerability management need the necessary financial and political support from executive management and others, including the actual system/data owners themselves. Summarizing and presenting the specific challenges associated with these areas, including good information and lack of information, is a great way to make the case for such support.

Focusing on compensating controls. In areas where compromises cannot be reached, compensating controls are essential. Even with asset classification, criticality analysis and risk prioritization, all it takes is a single employee clicking a phishing link to end up with the exploitation of a vulnerability or the leakage of information.

There will always be outlying vulnerabilities that cannot be effectively prevented. However, with the proper visibility and security controls, quick response on the part of technical staff will help minimize any issues that do arise.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.