A guide to a Risk-Based Vulnerability Management programme

By Pierre Samson, Co-Founder and CRO at Hackuity

Ever had one of those weeks where no matter how many tasks you strike off your to-do list, it just seems to get longer every day? Welcome to the nightmare of vulnerability management. More than 74,000 new CVEs have been reported in the last three years, leaving teams struggling and in permanent ‘catch-up’ mode.

Worse still, every day a CVE languishes on the to-do list, is a day it's at risk of being exploited by threat actors. The number of breaches involving vulnerabilities known for more than five years is a wake-up call.

It's not that security teams don't know about the risk or don't care; they often just don't know where to start. Without a clear focus, teams can easily spend all their time patching while missing the most critical vulnerabilities exposing their company to serious cyber risk.

Moving towards a risk-based approach

Identifying risks isn't enough: teams also need the context around these to assess the risk to their environment. This is where a risk-based vulnerability management (RBVM) approach comes in. This strategy harmonises and centralises vulnerability information, improving a team's understanding of which threats to prioritise and remediate, to reduce risk across the organisation.

Rather than attempting the impossible task of patching every vulnerability as it appears, a risk-based approach focuses on the few vulnerabilities that pose a true risk to the enterprise. However, teams often struggle to achieve this focus due to a highly fragmented set of tools and processes.

Multiple, disparate scanning tools and threat intelligence sources often leave teams with a scarily inefficient manual approach to patching. It also leaves them unable to see the wood for the trees, tackling threats individually without a bigger picture to guide them.

Another top challenge is a lack of a reliable, up-to-date asset inventory. Many teams are perpetually stuck in the "you don't know what you don't know" stage, unable to prioritise their vulnerability management activity because they do not understand which assets are at risk.

Despite these challenges, businesses sometimes find it easier to stick with a reactive approach rather than invest in the tech or organisational changes needed to switch to a preventative strategy. The same human psychological trait makes us resist starting a diet or hitting the gym, even though we know it's better for our health in the long run.

But just like a healthy lifestyle, the initial challenges and investment in moving towards RBVM will quickly pay off in the form of more efficient practices and improved security resilience.

Moving towards a mature RBVM programme

Successfully implementing an RBVM involves both technical and managerial changes.

On the technical side, empowering teams with the tools and information needed to prioritise and address high-risk vulnerabilities is crucial. This is best achieved with a single platform that can aggregate data from various sources to present a single point of visibility, providing context for prioritising action. From here, automation can significantly improve operational efficiency and security posture.

On the managerial side, the success of RBVM relies on centralising responsibility to drive change, rather than having a scattering of teams that are involved in patching but don't own ultimate accountability. It also requires empowering and collaborating with other stakeholders such as the IT production teams or application owners in charge of the actual remediation effort. The CISO is the most obvious person to sponsor the project, while the Cyberdefence or SecOp Head is the best fit to build and run the centralised practice (ideally in a VOC, outside of a SOC), working closely with the non-Security people.

As with SOCs, the value of better vulnerability management comes from a better understanding of risk, and enhanced ability to mitigate it. Rather than a numbers game of the volume of vulnerabilities being patched, the ROI of vulnerability management should be framed around the ability to identify and tackle the most dangerous threats facing the company. Say goodbye to vulnerability vanity metrics, and hello to tangible pain relief from the C-suite to the SOC.

OpenAI Takes Aim at Google Search With SearchGPT

Beyond the AI Hype: The Challenges AI Brings to the IT Industry

What is a Prompt Engineering? How to Make LLMs Better

What is a Stochastic Parrot? Understanding the Hidden Flaw in LLMs

Data Mastery: Driving Business Growth with MDM and AI Innovations

Breaking Barriers With Accessible Data Visualization

Teradata and The Very Group: Innovating with Analytics to Help Families Get More

Teradata and Brinker: AI and the Cloud Serve Up Sizzling Food

How a Labour Government Will Change UK Tech, According to Experts

Top 10 Best Public DNS Servers for 2024

What is Engagement Farming and is it Worth the Risk?

Meta to Dissolve 'Reality Labs' Division as Layoffs Loom

Top 10 ERP Software and Systems for 2024

Top 10 SD-WAN Providers to Consider in 2024

Top 10 Best DCIM Software Solutions for 2024

Opentelemetry: The Key to Unified Telemetry Data

Secureworks & IDC MarketScape: Worldwide MDR 2024 Vendor Assessment

Secureworks: 10 Security Controls to Reduce Risk

NHS Suffers Blood Shortage as Cyber Attack Disrupts Donations

Why the Cybersecurity Industry Needs Podcasts

1 TB of Disney Data Leaked in NullBulge Cyber Attack

Why did Yik Yak Fail? How the Messaging App Died

What Happened to AltaVista? The Rise and Fall of a Search Pioneer

What is an AI Skeleton Key? Microsoft Warns of New Vulnerability

OpenAI Takes Aim at Google Search With SearchGPT

NHS Suffers Blood Shortage as Cyber Attack Disrupts Donations

What is a Prompt Engineering? How to Make LLMs Better

What is a Stochastic Parrot? Understanding the Hidden Flaw in LLMs

Data Mastery: Driving Business Growth with MDM and AI Innovations

Beyond the AI Hype: The Challenges AI Brings to the IT Industry

Why the Cybersecurity Industry Needs Podcasts

Breaking Barriers With Accessible Data Visualization

Top 10 ERP Software and Systems for 2024

Top 10 MFA Providers and Software Tools for 2024

Top 10 Best Data Quality Tools for 2024

Top 10 SD-WAN Providers to Consider in 2024

Secureworks & IDC MarketScape: Worldwide MDR 2024 Vendor Assessment

Secureworks: 10 Security Controls to Reduce Risk

AuditBoard: Digital Risk Report 2024

AuditBoard: IT Risk and Compliance Platforms

Cybersecurity Luminary Stephen Khan to Receive Prestigious Hall of Fame Award at Infosecurity Europe

Leadership powerhouse Claire Williams OBE reveals how to navigate change and develop a strong team culture at Infosecurity Europe 2024

Digital Transformation Week Unveils Keynote Topics: Empowering Enterprises with Real-World Insights

Generative AI and Deepfake Expert, Henry Ajder to discuss the impact of generative AI on cybersecurity at Infosecurity Europe 2024

"Everyone's Talking About AI in Cybersecurity!" | TG Singham @ Infosecurity Europe

"You Need to Test that Your Backup Plan Actually Works!" | Kim Larsen @ Infosecurity Europe

"There's a Disparity Between Threat Actors and Security Teams" | Koryak Uzan @ Infosecurity Europe

"There's an Information Overload for Cybersecurity Teams!" | James Johnson @ Infosecurity Europe

Moving towards a risk-based approach

Moving towards a mature RBVM programme

More from Tom Stinton

Tom Stinton

It’s ChatGPT’s 1st Birthday!

Recommended for you

OpenAI Takes Aim at Google Search With SearchGPT

Secureworks: 10 Security Controls to Reduce Risk

NHS Suffers Blood Shortage as Cyber Attack Disrupts Donations

Why the Cybersecurity Industry Needs Podcasts

Top 10 MFA Providers and Software Tools for 2024