I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control. While I agree that it is an essential control, I also understand that it is challenging to implement. Vulnerability management is not just to pick a tool, scan, and fix issues. Many components make it a complicated journey. This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.
Planning
Objective
When you start, I recommend creating a targeted objective
and set of measures against your objective.
Ensure that you keep in mind your organization’s culture, politics, and
risk appetite as you are developing your objective. I have seen some target just “critical”
systems for regulatory compliance, whereas others have targeted their entire
enterprise. No matter your scope, keep
in mind your team’s current resource load, as standing up a vulnerability management
program is resource-intensive at first.
In the example of scoping your vulnerability management program to the
entire enterprise, break it down into smaller actionable pieces. Smaller actionable pieces will allow you to
show continual progress as you build your complete vulnerability management program. To give you some ideas, limit scopes to a
zone, subnet, or system. Don’t try to
tackle everything at once. That often
leads to frustration and failure.
For instance, talk to your business customers and understand
what they perceive as their most critical systems. Understand from their point of view what
needs to be protected, this will help you later when you are seeking their
approval, or buy in.
Socializing
I have seen lots of projects fail because of lack of buy
in. For most a vulnerability management
program is telling system owners how ugly their system is and that it may cost
more money to fix it, or make it prettier.
To help make your program a success you should get as much executive buy
in as possible. To do this, you need to get
them to understand how this program will help.
Cost avoidance is typically a difficult sell, and stating that it is mandatory
for regulatory compliance is about the same.
Instead help them understand that this program will help lead to a more
secure product/service. This increased
posture can be used as a competitive advantage.
Now that your executive team is starting to support you make
sure you understand from their point of view what is the most critical systems
that need to be protected. Build the
critical systems into your plan and agree to a scope and timing. Just don’t forget to keep them updated as to
progress and any potential roadblocks as you progress.
Documenting
Formally documenting your project plan is a great way to
hold yourself accountable and be able to show progress. The documented project plan can be provided
to executive management to provide updates as to the progress of the project,
or show roadblocks and issues in which you need their support.
Next up… reviewing and selecting tools
