{"id":2579,"date":"2025-04-02T06:00:00","date_gmt":"2025-04-02T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2579"},"modified":"2025-04-02T06:00:00","modified_gmt":"2025-04-02T06:00:00","slug":"10-best-practices-for-vulnerability-management-according-to-cisos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2579","title":{"rendered":"10 best practices for vulnerability management according to CISOs"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>It was 2003, and I was giving my first cybersecurity presentation at an industry conference in Chicago. I talked about the onslaught of <a href=\"https:\/\/www.csoonline.com\/article\/565999\/what-is-malware-viruses-worms-trojans-and-beyond.html\">worms and viruses<\/a> at the time (MSBlast, SQLSlammer, etc.), and stressed the importance of strong vulnerability and patch management to the audience.<\/p>\n<p>When it came time for the Q&amp;A, an audience member summarized his predicament and posed a very poignant question: \u201cWe have thousands of vulnerabilities at any one time. How do we figure out which ones to prioritize?\u201d<\/p>\n<p>I responded with a generic answer along the lines of \u201cprioritize based on known threats to your organization,\u201d or \u201cprioritize based on the business criticality of the asset.\u201d It was accurate, but vague. Fast forward more than 20 years, and the audience member\u2019s predicament and question still vex many organizations.<\/p>\n<p>What has changed, however, is the scale of the problem. In 2003, enterprise organizations had thousands of active vulnerabilities. Now they face hundreds of thousands or more. Meanwhile, many organizations have the same challenges they did years ago \u2014 a lack of experienced staff, manual processes, misaligned goals between security and other teams (IT ops, software development), and more.<\/p>\n<p>Since modern enterprises run on software, poor vulnerability management represents a serious business risk. So, how are CISOs modernizing their programs to improve risk mitigation? Over the past several months, I spoke to a dozen security executives to find out. While I have pages and pages of written notes on the subject, their answers boiled down to 10 best practices.<\/p>\n<h2 class=\"wp-block-heading\">10 consistent best practices in managing vulnerabilities<\/h2>\n<h3 class=\"wp-block-heading\">1. Culture<\/h3>\n<p>Achieving a successful vulnerability management program starts with establishing a cybersecurity-minded culture across the organization. Many CISOs admitted to facing historical cultural problems, with one summing it up well. \u201cOur cybersecurity culture was pretty laissez-faire until we got hit with <a href=\"https:\/\/www.csoonline.com\/article\/571797\/the-apache-log4j-vulnerabilities-a-timeline.html\">Log4J<\/a> and then a ransomware attack,\u201d he told CSO. \u201cThese events were an awakening for the CEO and board. That\u2019s when they hired me, adjusted the budget, and committed to doing what needed to be done.\u201d Improving vulnerability management was a top priority in this cultural transition.<\/p>\n<h3 class=\"wp-block-heading\">2. Documentation<\/h3>\n<p>Most CISOs agreed that all phases of vulnerability management should be well documented, assessed, and reviewed. This is an important admission that there is no quick fix to longstanding vulnerability management woes.<\/p>\n<p>Rather, organizations must dig into each phase of the vulnerability management lifecycle, look for inefficiencies, devise strategies for improvement, and define the right metrics to measure progress. CISOs also understand that there is no endgame here, but having a dependable record encourages continuous iterative improvement in all phases, all the time.<\/p>\n<h3 class=\"wp-block-heading\">3. Establish processes<\/h3>\n<p>Most of the CISOs I spoke with borrowed heavily from existing frameworks but customized them to their business, industry, and organizational needs. Once instituted, standard vulnerability management processes can be rolled out across an enterprise and monitored for continuous improvement.<\/p>\n<p>One CISO mentioned that her organization has taken this a step further \u2014 following an acquisition, the security team has a canned program that will transform the acquired company\u2019s vulnerability management program to fit its established model, complete with metrics to gauge progress.<\/p>\n<h3 class=\"wp-block-heading\">4. Define what security data is necessary<\/h3>\n<p>To be clear, this isn\u2019t a technology inventory exercise \u2014 at least not at first. CISOs assess what data they have and compare this to what data they need. Armed with this knowledge, they can then assign staffers to find technologies to fill the gaps.<\/p>\n<h3 class=\"wp-block-heading\">5.\u00a0Embed integration into vulnerability management<\/h3>\n<p>Once again, this is an academic rather than a technology project. It starts by looking into who needs what data and establishing where it comes from. Once individuals receive the right data, what do they do with it? Assuming all of this goes well, do data analytics trigger automated or manual actions? After mapping all the \u201cgoes into\u201d and \u201cgoes out of\u201d components, CISOs often bring in vendor partners for a look-see. The goal? Get them onboard with the necessary connectors, APIs, and data formats to turn design into reality.<\/p>\n<h3 class=\"wp-block-heading\">6. Determine the right metrics for prioritization<\/h3>\n<p>This directly addresses the question posed to me in 2003. It\u2019s also where vulnerability management meets exposure management, and it\u2019s all about context. What is the business value of a vulnerable asset? Is a vulnerable asset on the attack path? Is there a compensating control in place? Has the compensating control been tested recently?<\/p>\n<p>I know this seems like an obvious step, but the CISOs I spoke with have codified (or plan on codifying) this and more inputs into a customized risk-scoring system that anchors the whole enchilada.<\/p>\n<h3 class=\"wp-block-heading\">7. Create SLA discipline<\/h3>\n<p>The prioritization hierarchy is married to strict service-level agreements (SLA) across security, IT, software development, and third-party risk management teams. Exceptions are rare. Many organizations also have formal review processes when teams miss SLA deadlines. Again, continuous improvement is required here.<\/p>\n<h3 class=\"wp-block-heading\">8. Develop an emergency patching program<\/h3>\n<p>Events like Log4Shell and <a href=\"https:\/\/www.csoonline.com\/article\/3578782\/four-firms-charged-fined-over-handling-of-solarwinds-hack-disclosures.html\">SolarWinds<\/a> were wake-up calls, as many CISOs learned how unprepared their organizations were for this type of emergency event. This realization caused CISOs to create, staff, and test incident response plans designed specifically for these types of incidents.<\/p>\n<p>As one CISO said, \u201cWhile I was proud of how we responded to past events, several team members were burnt out for weeks, and we had a spike in attrition. Rather than rely on heroes, we needed a systematic program we could count on. I hope there\u2019s no \u2018next time,\u2019 but if there is, we\u2019re better prepared.\u201d<\/p>\n<h3 class=\"wp-block-heading\">9. Align goals, metrics, and compensation across diverse teams<\/h3>\n<p>Vulnerability management depends upon a cross-functional team with strong communication, consistent metrics, and common goals \u2014 this is the people part.<\/p>\n<p>It starts with the commitment to a cybersecurity culture discussed above, but CISOs I spoke with also worked with CIOs, line of business managers, and human resources folks to create the right workflows, automations, reports, messaging, and even employee compensation benefits to motivate cooperation across disparate groups and individuals. Security becomes far more effective when CISOs regularly team up with CIOs to uncover bottlenecks and review progress.<\/p>\n<h3 class=\"wp-block-heading\">10.Reinforce VM with continuous efficacy testing.<\/h3>\n<p>Years ago, I created an awkward acronym, SOPV, which stood for security observability, prioritization, and validation. The acronym never caught on, but the CISOs I spoke with have accepted (or are accepting) the notion of continuous security validation testing.<\/p>\n<p>Of course, verification is one of the phases of the vulnerability management lifecycle, so what\u2019s changed? Many firms have moved from periodic penetration testing to continuous security testing with new tools or managed services. MITRE calls this a threat-informed defense. In this way, organizations not only verify vulnerability remediation, but they also test controls efficacy and provide a blueprint for detection rules engineering.<\/p>\n<p>CISOs had many other war stories and recommendations, but these 10 were fairly common regardless of organizational size, location, or industry. I\u2019ll conclude by reporting on one other commonality: to use a frequent cybersecurity analogy, CISOs realize that strong vulnerability management is a non-linear journey, not a destination.<\/p>\n<p>In other words, you are never finished with anything, but rather always looking to improve every step and individual task along the way. There is always a lot of work to be done, but that\u2019s the reality when you\u2019re protecting a modern enterprise.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>It was 2003, and I was giving my first cybersecurity presentation at an industry conference in Chicago. I talked about the onslaught of worms and viruses at the time (MSBlast, SQLSlammer, etc.), and stressed the importance of strong vulnerability and patch management to the audience. When it came time for the Q&amp;A, an audience member [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2580,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2579","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2579"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2579"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2579\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2580"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}