Principle 1: Focus on output, not input.
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.
Principle 2: Align with business processes.
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.
Principle 3: Continue to integrate technologies.
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.
Principle 4: Leverage measurement and promote visibility.
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.
Illustration by Sek Leung
Vulnerability Management That Works