The path to RBVM: a practical guide to a Risk-Based Vulnerability Management Programme

By Pierre Samson, Co-Founder and CRO at Hackuity

Ever had one of those weeks where no matter how many tasks you strike off your to-do list, it just seems to get longer every day? Welcome to the nightmare of vulnerability management. More than 74,000 new CVEs have been reported in the last three years, leaving teams struggling and in permanent ‘catch-up’ mode.

Worse still, every day a CVE languishes on the to-do list, is a day it's at risk of being exploited by threat actors. The number of breaches involving vulnerabilities known for more than five years is a wake-up call.

It's not that security teams don't know about the risk or don't care; they often just don't know where to start. Without a clear focus, teams can easily spend all their time patching while missing the most critical vulnerabilities exposing their company to serious cyber risk.

Moving towards a risk-based approach

Identifying risks isn't enough: teams also need the context around these to assess the risk to their environment. This is where a risk-based vulnerability management (RBVM) approach comes in. This strategy harmonises and centralises vulnerability information, improving a team's understanding of which threats to prioritise and remediate, to reduce risk across the organisation.

Rather than attempting the impossible task of patching every vulnerability as it appears, a risk-based approach focuses on the few vulnerabilities that pose a true risk to the enterprise. However, teams often struggle to achieve this focus due to a highly fragmented set of tools and processes.

Multiple, disparate scanning tools and threat intelligence sources often leave teams with a scarily inefficient manual approach to patching. It also leaves them unable to see the wood for the trees, tackling threats individually without a bigger picture to guide them.

Another top challenge is a lack of a reliable, up-to-date asset inventory. Many teams are perpetually stuck in the "you don't know what you don't know" stage, unable to prioritise their vulnerability management activity because they do not understand which assets are at risk.

Despite these challenges, businesses sometimes find it easier to stick with a reactive approach rather than invest in the tech or organisational changes needed to switch to a preventative strategy. The same human psychological trait makes us resist starting a diet or hitting the gym, even though we know it's better for our health in the long run.

But just like a healthy lifestyle, the initial challenges and investment in moving towards RBVM will quickly pay off in the form of more efficient practices and improved security resilience.

Moving towards a mature RBVM programme

Successfully implementing an RBVM involves both technical and managerial changes.

On the technical side, empowering teams with the tools and information needed to prioritise and address high-risk vulnerabilities is crucial. This is best achieved with a single platform that can aggregate data from various sources to present a single point of visibility, providing context for prioritising action. From here, automation can significantly improve operational efficiency and security posture.

On the managerial side, the success of RBVM relies on centralising responsibility to drive change, rather than having a scattering of teams that are involved in patching but don't own ultimate accountability. It also requires empowering and collaborating with other stakeholders such as the IT production teams or application owners in charge of the actual remediation effort. The CISO is the most obvious person to sponsor the project, while the Cyberdefence or SecOp Head is the best fit to build and run the centralised practice (ideally in a VOC, outside of a SOC), working closely with the non-Security people.

As with SOCs, the value of better vulnerability management comes from a better understanding of risk, and enhanced ability to mitigate it. Rather than a numbers game of the volume of vulnerabilities being patched, the ROI of vulnerability management should be framed around the ability to identify and tackle the most dangerous threats facing the company. Say goodbye to vulnerability vanity metrics, and hello to tangible pain relief from the C-suite to the SOC.