Your Vulnerability Management Strategy Should Have These Three Things
What is Vulnerability Management?
According to Wikipedia, Vulnerability Management (VM) is the “cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities and is integral to computer security and network security. Taken one step further, VM is a combination of Vulnerability Reporting (identifying and classifying) and Vulnerability Response (prioritizing, remediating, and mitigating), which is an important distinction.
Reading that, one might think that vulnerability management is just an IT problem; the reality is, the focus of VM needs to be on the business side as well.
What if, rather than looking at the vulnerabilities themselves first, we took a different approach? What if we looked first at the business processes and services that are important to the company, and then worked our way back to the vulnerabilities themselves?
The truth is, vulnerability management programs are in place to protect the products and services that companies offer. IT will always own the asset, but the business will always own the asset’s purpose. Therefore, successful programs need collaboration with both IT and the business to share accountability for vulnerability management and the risk they impose on the business.
So, in this collaborative world of Vulnerability Management, what is the starting point of this shared responsibility? Remember these three things when building a VM strategy:
Get the Right People in Place
If VM is a shared responsibility, then the right people must make up your VM team. It’s not just about technical knowledge (although that is important), but your team must be made up of people from across the organization. From IT to management to business analysts and everywhere in between, your team must have clear lines of communication and a deep understanding of how vulnerabilities can affect the business environment. The business view of any system’s purpose is critical in understanding the value of a system to the overall business, and it will be leveraged greatly by IT to prioritize which vulnerabilities to address first. Ultimate, the business and IT have a bi-directional translation layer between them, which allows each group to understand their role in the VM Program.
Discover Your Business Products and Services
Defining business products and services is critical to the success of maturing your vulnerability risk management program, so it goes without saying that establishing a sustainable process to maintain the data integrity of your business’ products and services is equally important. In the end, you take your products and services to market and gain the trust of your customers. The second half of the equation is to implement a thorough VM Program to maintain that trust.
Collecting, analyzing and structuring business products and services data elements to be used in calculating vulnerability risk ratings is vitally important to the process and is a critical step. Once we have defined the products and services and their associated value, then we can clearly identify the vulnerabilities and figure out the appropriate response for each of them.
Choose the Right Vulnerability Management Technology
This is where a Governance, Risk and Compliance (GRC) platform becomes the backbone for building a more effective vulnerability management program. At Iceberg, we believe understanding the formulation of a solid VM first is paramount for success, followed by working very closely with the RSA Archer product to manage both IT and business content, enabling context-aware vulnerability risk management programs. With RSA Archer’s Threat Management platform, Iceberg helps clients build programs to identify and manage risk to the business.
Iceberg uses RSA Archer to help companies build programs that measure risk to the business by aggregating IT and business data into unified calculations. This allows vulnerability management programs to truly represent the dynamically changing risk scores to the business that result from the constantly changing state of asset vulnerabilities. This process ultimately facilitates a program for reporting and metrics that will serve everything from operational activities to executive briefings.
Vulnerability Management is the responsibility of the entire organization. By putting the right people in place, identifying the products and services your business offers, and implementing the right technology, you can be well on your way to building a robust and mature Vulnerability Management strategy. Let Iceberg Networks help you bring your VM strategy to the next level.