Despite numerous groups and publications showing the importance of vulnerability management and preplanning, many organizations still do not have a program in place, or the programs are informal and incomplete. Top security leaders have said that these vulnerability management programs should not be handled on an as-needed basis, they should be pre-planned, practiced and continuously updated. Below are some steps to starting your own, and starting with a strong foundation.
Create a team
Your first step is to build a team with the right people to manage the program. The team should of course include IT and security focused employees, but you should also include people who can speak about the important and impact of the program on the organization.
Keeping an asset inventory that is constantly updated is a key element to starting the program and making it successful. The process has to be as current and comprehensive as possible. This part can be complicated because of the nature of today's environments. There are physical assets, remote employees, the cloud and more.
Focus on visibility
Now that the asset inventory is in place, you should familiarize yourself with the connectivity within the environment and have full visibility of the processes. Another important aspect of having a strong and secure vulnerability management program from the start is making sure you know everything about your environment, so that if anything abnormal comes up, it is immediately recognizable and dealt with.
Vulnerability scanning is another element that is considered an important part of the foundation of the program. However, experts say a majority of organizations running vulnerability scans are not doing so aggressively enough. If you aren't scanning aggressively enough, you could not detect missing patches, weak configurations and more.
The best vulnerability management programs have established workflows that detail all of the processes and who is responsible for what. Larger organizations usually have someone who will take on each role full time, but midsize and small organizations either don't have the ability to have someone focus on each aspect or don't think they need to. However, these organizations should still make accountability for different processes a part of someone's job.