How to Operationalize a Risk-based Approach to Vulnerability Management
Share with Your Network
When large enterprises like Equifax lose sensitive data because a known vulnerability was left unpatched, something clearly isn’t working. Cyber attackers continually evolve their tactics, and security organizations have to evolve right along with them.
At Kenna Security, we’re helping companies change the way they approach vulnerability management, and it all starts with a mindset. Instead of managing vulnerabilities, we talk about managing cyber risk. A risk-based vulnerability management (RBVM) approach shifts the focus away from quantity to criticality. Instead of thinking, “I’ll close X vulnerabilities this month and hope our risk goes down,” the organization knows which three vulnerabilities to close to reduce risk by 20%. Big difference, right?
Adopting a risk-based vulnerability management approach requires the ability to prioritize the vulnerabilities that pose the greatest risk to the organization. When you do this, amazing things start to happen:
- You can start measuring real risk and understand how best to reduce it.
- The executive team understands the company’s security posture and the resources required to enable continuous improvement.
- Security and remediation teams become more productive, as they can close fewer vulnerabilities while producing a greater reduction in risk.
Of course, if prioritizing vulnerabilities was easy, organizations wouldn’t be slogging through spreadsheets—or losing data via unpatched vulnerabilities. So how do you make it happen? This is the question we set out to answer in our newest white paper, How to Implement a Risk-based Approach to Vulnerability Management. We explain the three steps necessary for operationalizing cyber risk management:
Step 1: Establish meaningful metrics
Step 2: Integrate risk into operational processes
Step 3: Embrace opportunities to automate processes and become predictive
We hope you’ll download the white paper to learn more about implementing cyber risk management in your organization, because the old way of approaching vulnerability management—counting closed vulnerabilities—doesn’t cut it. It’s time for a new approach, a Risk-based Approach to Vulnerability Management that’s focused on risk.