Blog | Holm Security

Vulnerability Management: 5 Essential Steps

Written by Stefan Thelberg | Feb 5, 2021 1:27:45 PM

1. Automation & Continuity

It’s important to understand that Vulnerability Management is an ongoing and never-ending process. Most organizations don’t have the resources to work on an ongoing basis, so automation is a key function.

  • Create an automated work process, including having automated and continuous scans run in the background.
  • Automation creates systematic work, which helps you in your proactive everyday security strategy.

2. Risk-Based Approach

Risk-based vulnerability management (RBVM) allows you to understand vulnerability threats in context to their potential business impact. We suggest you keep it simple and instead look at the basic metrics.

  • Prioritize vulnerabilities based on basic metrics. It’s not always productive to consider every parameter. Focus on high-risk vulnerabilities - low effort to remediate first and work your way down. 

  • Work with simple metrics to weigh your vulnerabilities, like CVSS (Common Vulnerability System Score), exploitability in combination with how critical a system is for your organization.

3. Ambition Level

If you put the ambition level too high, Vulnerability Management might become a disappointment. Vulnerability Management is an ongoing and never-ending process.

  • The first step is to get insight into and understanding about the risks you're facing. Just understanding the threats that you face is a huge step for many organizations.
  • We recommend the Q10 work process - identify the 5-10 most critical vulnerabilities that should be solved during the upcoming quarter.

4. Involve & Engage

You’ll be more successful together. Don’t make Vulnerability Management a one-person show. Cooperation is key.

  • Involve system owners, development team, CISO, IT manager, etc., and let them do their part.

5. Integration

Depending on how far you've come in your cyber security process, you might want to integrate with other tools and products in your ecosystem.

  • Integrate with other systems that you or your outsourcing partner is working with, for example, SIEM or ticketing solutions. If it’s not integrated today - it'll be in the future.

6. The Users

You're only as strong as your weakest link. Even the most well-protected systems in the world won't do you any good if your users put you at risk. Historically, most organizations have focused on protecting systems but forgot about the user.

  • Keep your users aware and resilient through simulation of social engineering together with tailored and automated awareness training. Build your human firewall.
  • Keep your users up to date with the constantly shifting and evolving threats through repeating simulations and awareness efforts.
View full post