While vulnerability management has been around for years, it remains a top issue for organizations. And while new vulnerability management tools are deployed regularly, they haven't stopped attackers from exploiting vulnerabilities. The reality is that vulnerability management isn't a technology problem. It's a people and process problem.
Deploying tools is easy, but implementing the right strategy for your organization is a significant challenge. Worse, implementing a vulnerability remediation strategy that clashes with your organizational culture will fail to be effective. Consider how these strategies might fare at your organization.
1. The Fire Brigade
Strategy: Incident response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.
Organizational Profile: Do you know someone who works better with a deadline? Some organizations are the same way. If you work where people only really respond to emergencies, then tie vulnerability management to a tight deadline.
Pros: Fixing the highest-risk vulnerabilities is better than doing nothing.
Cons: Lots of residual vulnerability risk.
2. Building Blocks
Strategy: Asset-focused. Identify the highest-risk assets and fix them first, regardless of specific vulnerability conditions.
Organizational Profile: Do you have system owners who largely correspond to assets? Can you identify an owner for most of the "boxes" on your network? If your organization builds processes around assets, this strategy may be effective.
Pros: Iterative improvement.
Cons: Inefficient use of resources.
3. Vulcan Logic
Strategy: Vulnerability-focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.
Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization is a well-oiled machine, start feeding that machine vulnerabilities.
Pros: Seriously effective at reducing vulnerability risk.
Cons: Only as good as the priorities.
4. The Hive
Strategy: Central analysis, distributed work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.
Organizational Profile: Does your organization rely on a clear "tone from the top"? Is information security a centralized group in a distributed organization? If your organization operates with a clear chain of command, then focus on building the most effective analysis to reduce risk.
Pros: Systematic reduction of vulnerability risk.
Cons: Lowest common denominator execution.
5. Board of Directors
Strategy: Distributed analysis and work, centralized tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.
Organizational Profile: Do the groups across your organization require autonomy? Is your organization metrics-driven? If your organization likes independence and a results-oriented approach, then focus on the metrics to drive outcomes.
Cons: Bad metrics, bad results.
6. Process Optimizer
Strategy: Reduce attack surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.
Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization's digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.
Pros: Dramatic vulnerability risk reduction.
Cons: Limited duration of effectiveness and high-priority risk gap.
There's no perfect strategy for eliminating vulnerability risk. While employing the right tools helps, knowing how your organization operates is what will make the difference between an expensive product and an effective program.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.