Skip to content

Salus Cyber

How to tell if your vulnerability management is effective

By Jason Kalwa,
10 February 2021

Vulnerability management is an established security management process, but how do you know if it’s adding value to your security posture? The lack of security incidents is; unfortunately, not a reliable indicator. Instead, ask yourself if your process works under all circumstances and delivers the right results at a corporate level.

Why wouldn’t it be?

One of the most consistent issues with vulnerability management is a lack of communication between provider and client. The inability for service providers to definitively evaluate the risks identified within the organisation’s risk areas can prevent the effective management of relevant vulnerabilities and security issues. Communication and bespoke services are vital in driving down critical-risk and organisation-specific security issues.

Consider the following example; a traditional penetration testing organisation performs a monthly vulnerability assessment against an organisations existing assets. Due to a communication failure, the consultant fails to flag the presence of default web server content, an indicator of unmanaged services, to the organisation. This omission leads to the information security team failing their target of maintaining an up-to-date list of existing network services and removing outdated and unsupported software. In a similar example, automated tooling combined with poor communication between internal teams may lead to findings not being reported to the risk management team, causing wasteful expenditure by redoing completed tasks.

Presentation of results is also an often overlooked area of vulnerability management. Clear communication means getting senior management buy-in for remediation plans brings less pain for senior stakeholders, and cultivates improved security attention.

A key indicator of value in this area is if your vulnerability management reporting provides the answers to questions that the board ask, such as the average time to remediate critical-risk vulnerabilities and the costs incurred. In general, any new critical-risk vulnerabilities found should identify the root causes. Providers should build reporting around a customisable dashboard with KPIs of vulnerability metrics tailored to each client’s business needs. Simplifying results and extrapolating data to highlight critical points makes the information valuable to senior decision-makers.

An often seen problem is the segregation of corporate structures from technical operations. It can be a struggle to ensure the effective distribution of operating data across an organisation. Vulnerability management programs are often centrally-managed, with single contact points for vulnerability management, managing disparate and far-flung departments of the organisation.

The temptation may be to look towards the top end of the provider market to avoid these pitfalls. However, it’s not uncommon for the larger consultancies to wheel out their star technical experts for sales meetings but deliver gold plated results that their junior staff has produced. Strip away the gilding, and the results are often no better than the lesser-known companies.

Fit for purpose.

Extracting the actual value that assessment results bring into your vulnerability management processes relies on consistent communication with clients and recognising which issues are of most relevance. Looking for trends and patterns that can give valuable insights and help identify what may be missing from the results and warrant further investigation. Correctly interpreted vulnerability data needs to feed into corporate risk management processes and shared with information security staff, project teams, administrators, and risk-management teams. These are aspects that automated tools and inexperienced staff following prescribed procedures cannot address.

Does the vulnerability management reporting tell you clearly what the risks are, their criticality to the business, and what actions you need to take immediately? It should identify what steps you need to plan over the next twelve months, and what budget you need to do this.

Evolve, don’t stagnate.

There is a misconception that once a vulnerability management process is set up, scheduling periodic vulnerability scans and updating results is an effective solution. We consider this to be the bare minimum for any organisation. If a business is earnest about maintaining and improving its security posture, it needs to do more. The process should respond to changes inside and outside the company and out-of-cycle change management.

The vulnerability management process itself should be subject to regular review to ensure it remains effective in light of changes to the business, information systems, the availability of new technologies and changes to the threat landscape. It needs to provide a comprehensive and adaptive end-to-end solution that evolves in parallel with the infrastructure that it is protecting, in-line with business needs and strategies.

Ok, so what do I need to look for?

Effective vulnerability management must take a strategic view of the business rather than focusing on each technical issue in isolation. When running vulnerability management programmes, the focus should always be on risk reduction at the business level rather than diving down technical rabbit holes. The process should feed into the businesses risk management framework and drive down the relevant KPI’s in line with the business strategy rather than just sending a list of vulnerabilities to the security team for remediation.

Experience shows that the best results come from developing long term trust-based relationships where a vulnerability management provider works with clients in close partnership, sharing insight and organisation-specific information, offering clients the specialist technical vulnerability management skills that they cannot afford to maintain in-house.

One key takeaway.

What differentiates the great vulnerability management service providers is their ability to tailor activities and report to each client’s needs while providing consistent, clear communication. They need to have a combination of being knowledgeable and skilled while also being agile and cost-effective. Anyone can scan for known vulnerabilities, but it requires business alignment and keen insight to utilise the data effectively.

Does your service provider take the results of your vulnerability identification processes, extract the relevant information, and deliver it in a form that will feed into your business processes?

The information should drive business and security posture improvements, driving down strategic risks. The method for collecting vulnerability identification information is unimportant; it’s the interpretation and management of this information, enhancing its value, that’s crucial for your business’s success.

Want to know more?

Get in touch! Tell us your priorities and we’ll recommend the right mix of services.

See more of our Articles.