On the surface, vulnerability management (VM) is nearly ubiquitous. If you ask someone whether their organization has VM, the vast majority will reply in the affirmative. In fact, Tripwire asked that very question in a recent survey on the topic. Eighty-eight percent of respondents said yes. Beneath that surface of ‘yes’ responses, however, lies a varied spectrum of implementation ranging from periodic penetration testing to full-blown enterprise vulnerability management. As a VM vendor presenting your solution, you get used to the response (in a faux French accent) of “We’ve already got one!”
At the same time, the problem of vulnerability risk has hardly been solved. In the same survey, 27% of respondents indicated that they’ve experienced a breach as a result of an unpatched vulnerability. The VM market is growing, and that means that organizations are expanding and replacing the tools they have. If you’re going to increase investment, or make a replacement decision, you have to answer this most difficult question: how do you know your vulnerability management program is effective? In order to shed some light on that question and how it might be answered, let’s look at seven habits of highly effective VM programs.
1. Executive Buy-In
It’s easy to say that tone-from-the-top makes a big difference, but how do you actually determine if an initiative has executive buy-in? Start with the phrase ‘buy-in’ perhaps. If a VM initiative has the right level of sponsorship and visibility, then you should be able to articulate how the success or failure of the initiative impacts those executives. It might be that there’s a specific compensation impact, or it might be less concrete, but when a program can succeed or fail without affecting someone, then that person definitely does not have buy-in.
2. Asset Discovery
Any limit you place (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tim Erlin. Read the original post at: https://www.tripwire.com/state-of-security/vulnerability-management/habits-highly-effective-vulnerability-management/