Why are Some Vulnerability Management Programs More Successful than Others?

I was fortunate to host a webcast earlier this week and hear the always entertaining Bill Olson share ideas on why some vulnerability management (VM) programs are more successful than others.

To watch the whole event (it’s about an hour long), check out the recording on our website.

I will recap a few of Bill’s themes here and will also share some insightful comments from the audience. We can learn as much from the audience as from the event speaker!

Successful vulnerability management programs have a known goal

A central theme in Bill’s webcast was the importance of having a specific and stated goal for your vulnerability management program and knowing how you will measure and present it. The goal might be related to risk or threat management, or it could be a goal to keep security patch auditing at a certain level. A goal helps everyone who is part of the VM program understand the purpose of their program. Knowing how it will be measured helps team members focus and prioritize.

It's important to have a specific and positive goal for your vulnerability management program

One of Bill’s stories emphasized setting positive goals. For obvious reasons, many VM programs are measured by the number of open vulnerabilities that are getting fixed. Many organizations have a “wall of shame” for the departments that have the most open vulnerabilities. Bill shared a story about a company that had a different “hall of fame” approach. Once the company got to a million fixed vulnerabilities, they had a party to celebrate that milestone (it was a big company). It took them almost a year to get to their first party. That first party went over so well that a second party happened just six months later. Now they have a party every month, which means that people are celebrating more—and most importantly—more vulnerabilities are being addressed so the organization is more secure.

What makes programs work?

Vulnerability management isn’t just a tool that you can put in place. Bill outlined four important elements that all need to work for a program to be successful.

People

There are many stakeholders in a VM program—not just security. There are auditors, managers, developers, systems administrators, executives and more. Each group has different needs. Take the operations team: they are measured by uptime and they speak the language of patches. But the security team usually asks them to reboot and send reports about vulnerabilities. It’s no wonder that those groups are often in conflict. In a successful vulnerability management program, the needs of different groups must be balanced.

In a successful vulnerability management program, the needs of different groups must be balanced

One participant named Chad had a relevant comment here. He pointed out that “business ownership and participation are most important.” All the stakeholders in the VM program need to feel that they are contributing to the success of the program, and that they are not just passive bystanders.

Process

Process is very much about the “hows”: how often do you scan, how often do you report, how do you prioritize? As participant Steven pointed out, “If you have a well-defined (and effective) process that is agreed upon by the stakeholders, then the other issues will take care of themselves.”

VM processes must be in sync with the rest of the business

One of Bill’s key points was that the VM processes must be in sync with the rest of the business. For example, if your patching policy is to patch within 30 days after an update is released, yet on every patch Tuesday the security team sends reports about systems with vulnerabilities, the other teams may feel like they’ll never “win” the patching battle. A better method would be for the security team to report items that are beyond the 30 day limit. This is more logical and focuses the organization on processes that could be going wrong.

Security

Security is an important element in a VM program because security can provide the context for all the vulnerability data collected by the VM tools. As participant Glenn noted, “You can be compliant with a relevant standard (PCI, HIPPA, NIST 800-53) but not be secure.”

Security can add value and focus to the VM program by helping the entire organization understand how vulnerabilities and risk fit together and if they balance each other.

Politics

The politics of stakeholders working together (or not) in the VM program is critical. It takes work to find partners in the organization and to respect their priorities and concerns so that they can become effective participants in a VM program. As listener Bob observed, “Vulnerability management is hard, but I found that the politics has been the most important part. I recommend that everyone take the politics discussion very seriously.”

The politics of stakeholders working together in the VM program is critical

Managing politics in an organization is more of an art than a science. Bill’s advice was: don’t do it alone, be precise as possible with your information, and work to help others be part of the program.

Conclusion

In a final poll, we asked participants which of Bill’s four elements was the most important for a successful VM program. Dan’s response was the best: “That’s like asking what’s more important: your left arm or your kidney. They’re all important!”

Thanks to everyone who participated in the webcast and to Bill Olson for sharing his insights. Listen to the full webcast on our website.