Kenna & VMware Carbon Black Collaborate  
Learn More >
Contact Us
Talk to an Expert
Request a demo

Vulnerability Management Maturity Part Four: First Came the Sprint, Now the Marathon.

Sep 17, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

So there you are, the head of a successful vulnerability management program that has driven your company’s risk scores to a level that is both manageable and acceptable. 

It’s been smooth sailing for the past year, and the days of chaos are but a memory. And then all of the sudden, the risk score jumps. 

What happened? 

One thing is for sure: your organization didn’t change. The outside world did. 

Welcome to the final stage of a modern vulnerability management maturity.

A recap of the journey so far

In three earlier parts of this series, we’ve discussed a state of chaos that all organizations face at the beginning of the vulnerability management journey. Most organizations are trying to tackle an impossible number of vulnerabilities without the tools or the data to meaningfully reduce risk. They use CVSS as a proxy for danger, when that score wasn’t built for that. And there are widespread arguments between IT operations and security over which issues to patch first, and how much time to devote to patching. 

In the third state of vulnerability management maturity, your organization has begun using a tool – preferably Kenna.VM – that harnesses machine learning and big data analytics to identify the vulnerabilities that pose the most significant risk to your organization. Your organization is not only prioritizing the riskiest vulnerabilities, but identifying those that are likely to become dangerous in the future. You are slightly ahead of the curve, and your risk score reflects that. Even more, IT and security are getting along, because there’s no real argument over which mitigation measures you need to take. The data is there, and it’s not really up for debate.

Re-align to remediation velocity

Now, in the fourth and final stage, managers need to re-align their thinking, away from risk scores and toward a new idea: remediation velocity. 

Here’s the idea: new vulnerabilities pop up every day. Most are harmless. Occasionally, something really dangerous is released into the wild. It doesn’t happen often, but we see it. Many recent examples stem from the release of vulnerabilities that are easily exploitable or already have exploits available.

The best cybersecurity teams in the world are still only playing defense. They can’t control what malicious actors do. 

And so, every once in a while, the scores jump. It’s nobody’s fault. 

Risk-based SLAs

But you are responsible for how your organization reacts to these situations. That’s the thinking behind Kenna’s new risk-based SLAs. Risk-based SLAs enable organizations to use data to establish an appropriate speed of response to new, high-risk vulnerabilities. 

These appetites for risk are divided into three categories. The first is for companies that are content to be as fast as their peers. The second is for companies that want to be leaders in their sector. The third is for organizations with the least tolerance for risk, companies that want their remediation strategies to exceed the speed of threat actors’ ability to weaponize vulnerabilities.

Our research backs up the idea that SLAs are an important contributor to maturity and effectiveness. Programs that set firm remediation deadlines for high-risk vulnerabilities, tend to patch them faster.  

The fourth stage of a mature vulnerability management program is marked by a couple of characteristics: in most cases, IT operations can serve themselves. Security teams focus on reporting, oversight of mitigation efforts, and handling exceptions. Incentives also shift to include SLAs and overall risk scores. 

Mature vulnerability management programs are stable and enduring. Because of this, the methods and metrics for evaluating the programs shift. But whatever stage your program is in, success – and sanity – are possible.

To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.

Share with Your Network

Your Journey to Risk-Based Vulnerability Management Starts Here

Download your roadmap and get started on a more effective and efficient approach to vulnerability management


Read the Latest Content

Vulnerability Management

Vulnerability Management Maturity Part One: Growing Pains

The coming-of-age story is a mainstay of the movies. We all love them, perhaps because they feel so familiar. A protagonist faces some sort of dilemma and gets knocked around a bit. There’s a bit of a learning period, and then, the child becomes an adult.  As metaphors go, the coming-of-age story is a pretty…

Vulnerability Management

Vulnerability Management Maturity Part Two: Training Day

It’s safe to say that most modern enterprises live and breathe data. But not all data is created equal. Take, for example, the data used in early stage vulnerability management programs.  Go beyond CVSS Sure, they use data. When their scanners detect a vulnerability, it gets added to a spreadsheet. To estimate the risk that…

Vulnerability Management

Modern Vulnerability Management Part 3: Engaging Auto-Pilot

One of the odd things about risk is that it doesn’t mean the same thing to all people. We happily ride in cars almost every day, despite the fact that on a mile-for-mile basis, it represents one of the most dangerous forms of transportation. But many of us will get a weird feeling in the…


© 2020 Kenna Security. All Rights Reserved. Privacy Policy.