Mistakes Companies Make When it Comes to Vulnerability Management
- Feb 21, 2013
- Guest Author
We observe a common misconception that companies believe they are doing “vulnerability management” when, more often than not, they are simply performing “vulnerability identification”. I came across an insightful article written by Mark Hatton in SecurityWeek titled, “Three Mistakes Companies Make When it Come to Vulnerability Management”. Below are my own observations and comments on the topic.
On a tactical basis, the day-to-day responsibility of meeting compliance requirements, running scans and updating fixes can be a surprisingly labor intensive exercise. The whole process of “vulnerability identification” often is a job in and of itself. The process of identifying critical vulnerabilities and not fixing them in timely manner is a dangerous game. This leads to a false sense of security.
One of the surprising aspects of our work is that, for many of our customers, it is not a lack of information that keeps them from being secure. Instead, it is the internal process of finding and convincing the correct people in the company to get fixes applied. Depending on the company’s organizational structure, the team responsible for security may even be outside of the IT department. Vulnerabilities are identified and passed along to different groups with no clear sense of ownership for remediation.
One of the ways to improve operational efficiency is to make it easier for the appropriate individuals, or teams, to collaborate on fixing security vulnerabilities. NopSec built an automated ticketing process in our software-as-a-service, Unified VRM, to help remediate issues quickly. Unified VRM also provides the flexibility to seamlessly integrate with existing Security Information and Event Management (SIEM) solutions. At one of our customers, they were able to improve the time it took to remediate critical vulnerabilities from weeks to hours. Even better, they continued on a positive trend of fewer vulnerabilities by integrating Unified VRM reports directly into their patch management system.
When you want to take the first step to true “vulnerability management”, please read NopSec’s Best Practices Guide: Vulnerability Management