Skip to main content

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively. 

 

Planning

 

Objective

When you start, I recommend creating a targeted objective and set of measures against your objective.  Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.  I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.  No matter your scope, keep in mind your team’s current resource load, as standing up a vulnerability management program is resource-intensive at first.  In the example of scoping your vulnerability management program to the entire enterprise, break it down into smaller actionable pieces.  Smaller actionable pieces will allow you to show continual progress as you build your complete vulnerability management program.  To give you some ideas, limit scopes to a zone, subnet, or system.  Don’t try to tackle everything at once.  That often leads to frustration and failure.

 

For instance, talk to your business customers and understand what they perceive as their most critical systems.  Understand from their point of view what needs to be protected, this will help you later when you are seeking their approval, or buy in. 

 

Socializing

I have seen lots of projects fail because of lack of buy in.  For most a vulnerability management program is telling system owners how ugly their system is and that it may cost more money to fix it, or make it prettier.  To help make your program a success you should get as much executive buy in as possible.  To do this, you need to get them to understand how this program will help.  Cost avoidance is typically a difficult sell, and stating that it is mandatory for regulatory compliance is about the same.  Instead help them understand that this program will help lead to a more secure product/service.  This increased posture can be used as a competitive advantage.

Now that your executive team is starting to support you make sure you understand from their point of view what is the most critical systems that need to be protected.  Build the critical systems into your plan and agree to a scope and timing.  Just don’t forget to keep them updated as to progress and any potential roadblocks as you progress. 

 

Documenting

Formally documenting your project plan is a great way to hold yourself accountable and be able to show progress.  The documented project plan can be provided to executive management to provide updates as to the progress of the project, or show roadblocks and issues in which you need their support. 

 

Next up… reviewing and selecting tools

Popular posts from this blog

Winning the Room: How to Gain and Keep Executive Support

Blog Series: Your First 90 Days as a CISO Post 4 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support. Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization. And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the c...
Read more

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more