12 steps to building a top-notch vulnerability management program

Security executives have long known the importance of addressing vulnerabilities within their IT environments.

And other executives in the C-suite have also come around to the criticality of this task, given the number of high-profile breaches that happened as a result of an unpatched system.

Recent news should put to rest any lingering doubts about the importance of this task.

The US Federal Trade Commission, for example, in early January put the business community on notice about addressing Log4j, writing in an online post that “the duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

The FTC has good reason to warn about such issues: Reports consistently find unpatched known vulnerabilities remain one of the top attack vectors.

Consider figures from the Ransomware Spotlight Year End 2021 Report from security firms Ivanti, Cyber Security Works and Cyware. The report tallied 65 new vulnerabilities tied to ransomware in 2021, a 29% increase over the previous year, and counted a total of 288 known vulnerabilities associated with ransomware.

Despite such findings, many organizations lack a formal vulnerability management program. A 2020 survey from the SANS Institute, a cybersecurity training and certification organization, found that nearly 37% have either only informal approach or no program at all.

Experienced security leaders agree that vulnerability management should not be handled on an ad hoc basis or through informal methods. Rather, it should be programmatic to enforce action, accountability, and continuous improvement.

To that end, these experts offered 12 steps for building a top-notch vulnerability management program:

1. Assemble a team

“Before you buy anything, do any processes, or create procedures, you need to build a team,” says Daniel Floyd, who as CISO of Blackcloak oversees its SOC, threat intelligence platform, its penetration testing and digital forensics teams.

In addition to assigning the security and IT workers who typically handle vulnerability management and patching, Floyd recommends including other key stakeholders, such as business-side employees who can speak to the impact the organization faces when systems are taken down for rebooting so the team can understand how their work affects others.

2. Keep a current, comprehensive inventory of assets

Hold Security

Another foundational element for any effective vulnerability management program is an up-to-date asset inventory with a process to ensure that it remains as current and comprehensive as possible. “It’s definitely something that everyone knows about but it’s an area that’s really difficult,” Floyd says, particularly in today’s modern environments with its physical items, remote employee connections, and IoT components as well as cloud, SaaS, and open source elements.

But the hard work is critical, says Alex Holden, CISO with Hold Security and a member of the ISACA Emerging Trends Working Group. “It all has to be taken into account, so when something new comes up, you’ll know if it’s something you have to fix.”

3. Develop an ‘obsessive focus on visibility’

With a comprehensive asset inventory in place, Salesforce SVP of information security William MacMillan advocates taking the next step and developing an “obsessive focus on visibility” by “understanding the interconnectedness of your environment, where the data flows and the integrations.”

“Even if you’re not mature yet in your journey to be programmatic, start with the visibility piece,” he says. “The most powerful dollar you can spend in cybersecurity is to understand your environment, to know all your things. To me that’s the foundation of your house, and you want to build on that strong foundation.”

4. Be more aggressive with scanning

Vulnerability scanning is another foundational element within a solid cybersecurity program, yet experts say many organizations that are regularly running scans still fail to identify problems because they’re not being thorough enough. “Where I think people are falling down is in coverage,” Floyd says.

Consequently, high-performing vulnerability management programs have adopted more aggressive scanning practices incorporating multiple scanning options. Floyd, for example, says he believes teams should include credentialed scans for a more thorough search of weak configurations and missing patches in addition to running the more commonly used agent-based and network scanning.

5. Have documented, deliberate workflows

Mature, well-established vulnerability management programs have documented, deliberate workflows that lay out what happens and who is responsible for what, MacMillan says.

Salesforce

“Larger, complex businesses understand [security vulnerabilities] are an existential threat and that they have to move past the ad hoc stage pretty quickly and lay out what needs to happen in a deliberate and focused way,” he explains.

Security teams everywhere can benefit from following that best practice and establish those workflows, adding automation wherever possible.

Furthermore, MacMillan says teams should develop a common operating picture, with the same data and threat intelligence available to all team members working on vulnerability management.

“Everyone should operate from that common operating picture, and they all should synch,” he adds.

6. Establish, track KPIs

“To validate the effectiveness of your controls and to prove to management that it’s effective, it’s good to have metrics that report on the performance of your vulnerability management program,” says Niel Harper, ISACA board director and CISO for a large global company.

ISACA

He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.

As Harper explains: “All those will present management with an idea of how well your vulnerability management program is performing.”

7. Benchmark

Tracking KPIs can indicate whether your own vulnerability management program is improving over time, but you’ll need to measure against other companies’ efforts to determine whether your program exceeds or fall short compared to others, Harper says.

“Benchmarking helps you to understand how you’re performing against your peers and competitors, and it also provides assurances to management that your vulnerability management program is effective,” he says. “It can also serve as a differentiator in the marketplace, which you could even use to drive the top line.”

Harper says managed service providers often have data that security teams can use for this exercise.

8. Make someone responsible and accountable for success

To have a true vulnerability management program, multiple experts say organizations must make someone responsible and accountable for its work and ultimately its successes and failures.

“It has to be a named position, someone with a leadership job but separate from the CISO because the CISO doesn’t have the time for tracking KPIs and managing teams,” says Frank Kim, founder of ThinkSec, a security consulting and CISO advisory firm, and a SANS Fellow.

ThinkSec

Kim says larger enterprises often have enough vulnerability management work to have someone take on this role full time, but smaller and midsize companies that don’t require a full-time manager should still make this accountability work an official part of someone’s job.

“Because if you don’t give responsibility to that one person,” Kim says, “that’s where you get everyone pointing figures at each other.”

9. Align incentives to program improvement, successes

Assigning responsibility for the program is one step, but Kim and others say organizations should also establish incentives such as bonuses tied to improving KPIs.

“And incentivize not only the teams responsible for doing the patching but the stakeholders across the organization,” Floyd says, whether those incentives are in the way of extra compensation, bonus days off, or other forms of recognition. “It’s about incentivizing and celebrating successes. It shows that this needs to be a priority.”

10. Create a bug bounty program

Salesforce rewarded ethical hackers more than $2.8 million in rewards in 2021 for identifying security issues in its products, seeing this bug bounty as an important part of managing vulnerabilities, MacMillan says.

MacMillan recommends other organizations implement bug bounty programs as part of their vulnerability management efforts. “It’s an effective way to surface problems,” he says.

Others agree. Holden, for example, says smaller organizations can set up an internal bug bounty program that rewards employees who find vulnerabilities or work with external parties or cybersecurity companies offering such services to draw on a larger pool of expertise.

11. Set expectations and adjust them over time

The number of publicly disclosed computer security flaws on the Common Vulnerabilities and Exposures (CVE) list continues to grow, with the number of new ones added annually having increased nearly every year during the past decade. There were 4,813 CVEs in 2011; in 2020 there were 11,463, according to an analysis from Kenna Security.

Given the volume, experts agree that organizations must prioritize which vulnerabilities pose the greatest risks to them so they can address those first.

[ Related reading: 6 top vulnerability management tools and how they help prioritize threats ]

Peter Chestna, CISO of North America for Checkmarx, concurs, but he also says organizations should be upfront and clear about priorities and focus their vulnerability management program on those vulnerabilities that they actually plan to address.

Checkmarx

For example, if an organization only plans to address vulnerabilities that are rated high, why even scan for low-risk ones? Chestna says that approach can drain resources and distract teams from high-priority work, making it more likely that they miss critical issues.

“Instead, set the rules you want to follow (they have to be rules you can actually follow) and then follow them,” he says, adding that this helps organization better focus on risk reduction. “And when we get really good at those highest priorities, then talk about opening up the flood gates.”

12. Report on the program’s performance to stakeholders, the board

In addition to keeping stakeholders within the organization informed about any patching work that could impact their access to systems, experts say the security department should report on the vulnerability management program’s overall performance—framed in business terms around risk and risk reduction.

“This is something you should actually be reporting to your board,” Floyd adds. “Hold yourself accountable.”