How to Operationalize a Risk-based Approach to Vulnerability Management

Mar 12, 2018
Sam Osborn

Share with Your Network

When large enterprises like Equifax lose sensitive data because a known vulnerability was left unpatched, something clearly isn’t working. Cyber attackers continually evolve their tactics, and security organizations have to evolve right along with them.

At Kenna Security, we’re helping companies change the way they approach vulnerability management, and it all starts with a mindset. Instead of managing vulnerabilities, we talk about managing cyber risk. A risk-based vulnerability management (RBVM) approach shifts the focus away from quantity to criticality. Instead of thinking, “I’ll close X vulnerabilities this month and hope our risk goes down,” the organization knows which three vulnerabilities to close to reduce risk by 20%. Big difference, right?

Adopting a risk-based vulnerability management approach requires the ability to prioritize the vulnerabilities that pose the greatest risk to the organization. When you do this, amazing things start to happen:

  • You can start measuring real risk and understand how best to reduce it.
  • The executive team understands the company’s security posture and the resources required to enable continuous improvement.
  • Security and remediation teams become more productive, as they can close fewer vulnerabilities while producing a greater reduction in risk.

Of course, if prioritizing vulnerabilities was easy, organizations wouldn’t be slogging through spreadsheets—or losing data via unpatched vulnerabilities. So how do you make it happen? This is the question we set out to answer in our newest white paper, How to Implement a Risk-based Approach to Vulnerability Management. We explain the three steps necessary for operationalizing cyber risk management:

Step 1: Establish meaningful metrics

Step 2: Integrate risk into operational processes

Step 3: Embrace opportunities to automate processes and become predictive

We hope you’ll download the white paper to learn more about implementing cyber risk management in your organization, because the old way of approaching vulnerability management—counting closed vulnerabilities—doesn’t cut it. It’s time for a new approach, a Risk-based Approach to Vulnerability Management that’s focused on risk.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.