Published in


How to Build an Effective Vulnerability Management Program

How to Build an Effective Vulnerability Management Program

To manage vulnerabilities in your company effectively, it is worth going through several preparatory stages. It is necessary first to assess the IT infrastructure and current information security processes, identify the most dangerous types of vulnerabilities, determine the areas of responsibility of personnel, etc. Let’s figure out what questions you need to answer before implementing a vulnerability management program in an organization.

Software vulnerabilities, configuration errors, and unrecorded IT assets exist in any organization. Some of these issues are more dangerous from the point of view of information security, and some are less. But in any case, they open the way for attackers to the company’s internal infrastructure. You can reduce the number of potential and existing cybersecurity threats by building a vulnerability management program. This is a process that consists of several important steps:

As mentioned above, you cannot start a vulnerability management program “in a snap.” First, you need to do the “homework”: evaluate the information security infrastructure and processes that exist, understand how well the staff is trained, and choose a scanning tool and method. Otherwise, vulnerability management and vulnerabilities will exist separately from each other.

Assessment of Information Security Processes in the Company

The first step to effective vulnerability management is an assessment of business and information security processes. The organization can do this on its own or engage an external auditor.

When evaluating information security processes, it is worth answering the following questions:

Suppose the answers to these questions do not correspond to the actual state of affairs in the company. In that case, the assessment will turn out to be incorrect, and many errors will appear when implementing or refining the vulnerability management program.

For example, it is often the case that a company has a vulnerability management solution, but either it is not configured correctly, or there is no specialist who can effectively manage it.

Formally, vulnerability management exists, but in reality, part of the IT infrastructure is invisible to the tool and is not scanned, or the scan results are misinterpreted. These misunderstood interpretation results need to be addressed in companies.

Based on the audit results, a report should be generated that will clearly demonstrate how the processes in the company are arranged and what shortcomings they have at the moment.

Choosing a scanning tool.

Today, there are several options for implementing vulnerability management. Some vendors offer self-service and simply sell the scanner. Others provide expert services. You can host scanners in the cloud or on company perimeters. They can monitor hosts with or without agents and use different data sources to replenish their vulnerability databases.

At this stage, the following questions should be answered:

Building Interaction Between Information Security and IT Teams

This is perhaps the most difficult stage since here it is necessary to properly build the interaction of people. As a rule, security specialists in an organization are responsible for information security, and the IT team is responsible for eliminating vulnerabilities. It also happens that IT and information security issues are the responsibility of one team or even one employee.

But this does not change the approach to the distribution of tasks and areas of responsibility, and sometimes it turns out at this stage that the current number of tasks is beyond the power of one person.

As a result, a consistent and synchronous process of eliminating vulnerabilities should be formed. To do this, it is necessary to determine the criteria for transferring information about discovered vulnerabilities from the information security team to IT (that is, to form a data transfer method that is convenient for everyone).

In fact, the greatest problem is the absence of a good analyst who can competently audit news sources and prioritize vulnerabilities. News, security bulletins, and vendor reports often point out what vulnerabilities should be addressed first. In my experience, analysts should deal with the most dangerous vulnerabilities. All other work should be done automatically by processing patches received from software vendors.

Some types of vulnerabilities (malwarefox dotcom; zero day attack) and attacks are hard to detect. To effectively control all processes, at this stage of building a vulnerability management program, you need to discuss and agree on KPIs and SLAs for the IT and security teams.

For example, for information security, it is important to set requirements for the speed of vulnerability detection and the accuracy of determining their significance, and for IT, the speed of fixing vulnerabilities of a particular severity level.

Implementing a Vulnerability Management Program

After evaluating the effectiveness and availability of processes, deciding on a scanning tool, as well as regulating the interaction between teams, you can begin to implement a vulnerability management program.

At the initial stage, it is not recommended to use all the functions modules available in the scanning tool. If earlier there was no constant vulnerability monitoring in the organization, then, most likely, the information security and IT teams would experience difficulties. This can lead to conflicts and non-compliance with KPIs and SLAs.

It is better to introduce vulnerability management gradually. You can go through an entire vulnerability management cycle (inventory, scanning, analyzing, eliminating) at a slower pace. For example, you can scan the whole infrastructure once a quarter and business-critical segments once a month.

In about a half year, your teams will be able to “work together,” find and fix the most critical vulnerabilities, understand the obvious flaws in the processes and provide a plan to eliminate these flaws.

Additionally, you can involve external experts who will help to significantly reduce the routine work for the company’s full-time employees. For example, a service provider can be involved in inventory and scanning and in processing the results. The service approach will also help managers plan work and monitor progress.

So, for example, if it is clear from the provider’s report that the vulnerabilities found during the previous scan have not been fixed, the manager, having looked at the SLA of his employees, will understand that either the information security department does not have time to transmit the scan data, or the IT team does not have time to correct the identified issues.


When building a vulnerability management program, a company may encounter the following mistakes:

Therefore, it is better to first “lay the foundation” and only after that start building the vulnerability management program.

How to Build an Effective Vulnerability Management Program was originally published on on Nov. 19, 2022, by Alex Vakulov. Featured Image: Christina Morillo; Thank you!



ReadWrite is the leading media platform dedicated to IoT and the Connected World. We work with the industry's top technologies, thinkers, and companies to tell the stories that drive this world forward.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

The latest #news, analysis, and conversation on the #InternetOfThings