Vulnerability management is one of the most important cybersecurity fundamentals that businesses need to get right in order to effectively protect their crown jewel assets. Long-time practitioners know that quickly identifying and patching vulnerabilities is the name of the game, but it it’s not always possible to consistently identify and deploy fixes for every vulnerability across an organization. At scale, it becomes a game of risk management and prioritization; determine an acceptable level of risk, establish a process that aligns with that risk tolerance, and tackle the highest priority vulnerabilities first.
Vulnerability management processes can be as simple as one person manually running an open-source vulnerability scanner on business assets, or it can be a complex program managed by several dedicated individuals running and following up on automated vulnerability scans from a cloud agent. At the end of the day, what matters most is that the team is mediating vulnerabilities and reducing cyber risk in accordance with the organization’s overall risk tolerance. When this isn’t the case, businesses can look to elevate their vulnerability management programs with cybersecurity performance management (CPM).
The most effective way to elevate a basic vulnerability management program is managing performance. When it comes to vulnerability management, the biggest risk factor is how long you allow high-risk vulnerabilities to sit unresolved. Sometimes it is unavoidable, as the team needs time to determine, test, and deploy fixes, but it is still the greatest optimization point when it comes to managing vulnerability risk. The longer that a high-severity vulnerability sits unattended, the more likely it is for an attacker to exploit that momentary gap in the armor to disastrous effect.
Understanding how long it takes your team to identify and remediate vulnerabilities is key to elevating the effectiveness of the process. Once you have ways to measure real-time performance, it becomes possible to directly target inefficiencies that gum up the process. To that end, we have identified four steps to help chart the course to better vulnerability management performance.
Elevating Vulnerability Management Programs with CPM
Step one is to understand the day-to-day realities of your team’s cybersecurity performance. That means being able to track and measure patching performance with metrics that accurately reflect the prowess of existing procedures. Doing so requires the right processes or infrastructure in place to be able to measure performance. This can be done manually, but it is greatly preferable to have an automated system in place that tracks the age of identified vulnerabilities across organizational systems. Some of this may even come from analytics provided by tools that you already have, and it just becomes a matter of pulling everything together.
Step two is selecting the right metrics to track cybersecurity performance. When it comes to performance management, it’s essential to focus on metrics that track achievement rather than activity. In order to get substantive insight from your performance metrics, they need to be descriptive of the actual on-the-ground performance as it impacts your cybersecurity posture. In the case of vulnerability management, that means tracking metrics that measure the actual risk imposed on the business, such as the average age of a vulnerability, the longest vulnerability patch time from identification to patch, and the number of business-critical systems without high-risk vulnerabilities. This is important to distinguish, because bad metrics that measure activity don’t give you any real insight into real-world performance. A good example of a metric that tracks activity rather than achievement might be the total number of patches applied over a given timeframe. This doesn’t really tell us anything about how we’re performing; is the number higher than last month simply because more vulnerabilities were disclosed this month, or did we get better at patching them?
Step three is to create goals or objectives that need to be met to constitute good performance. We like to refer to these as SLAs, since it’s a similar concept as if you were referring to an SLA in a service contract. Amongst the leadership team and business stakeholders, determine an agreed upon risk tolerance and create SLAs that match that overall risk appetite. If you determine that by policy, all vulnerabilities with a CVSS score of 7.0 or above are to be remediated within five business days, these objectives should be used as a benchmark to determine your overall performance.
Step four is to leverage this greater insight into the ongoing performance of the team to identify issues that hinder the team’s ability to consistently remediate important vulnerabilities. If we identify that critical vulnerabilities on specific systems frequently exceed the pre-determined SLA, we can attack the underlying barrier that prevents us from meeting that five business day turnaround time. With this new framework in place, it greatly increases the ability of the security team to identify weak points in processes and to demonstrate effectiveness to upper management.
Vulnerability management is one of the most fundamental aspects of cybersecurity that is so often overlooked. It’s a critical duty needed to protect our most important assets from the never-ending deluge of cyberattacks. But it can also be easy to overlook or take for granted, as it is a process that very much runs in the background. Yet it’s a bedrock fundamental of cybersecurity all the same, and implementing cybersecurity performance management can help elevate even basic vulnerability management programs into something truly valuable.