What is a vulnerability management program, anyway?

A vulnerability management program (VMP) is used to identify and manage weaknesses within an organization that could be used to exploit or gain access to the company’s computers and stored data.

Companies must understand that a VMP is much more than just patch or inventory management. While these elements are crucial to a good VMP, even more critical to the program are the employees. 

Why are employees so critical to the success of a VMP?

By training employees not to click on suspicious email links, open unknown documents, or even allow someone to enter a secure area without badging in, companies can go a long way to minimize potential vulnerabilities within the organization.

I often think of the “In this corner we have Dave” cartoon. We all have good intentions and a desire to be effective. Without proper education, our intentions often lead us to very vulnerable places.

In the “User Dave” scenario, you have to educate employees on issues like phishing and things like not letting somebody tailgate and walk into the building behind you. Because at the end of the day, the best tools in the world aren’t going to defeat Dave, who may leave his laptop open as he’s picking up his coffee at Starbucks while he’s VPN’d into the network.

It’s really about the education.

There should be an understanding among employees about why it’s important to accept that patch, why it’s important to have VPN on when you’re at Starbucks, and why you should also the at the very least lock your computer if you’re going to walk away from your laptop.

Where do I even start in developing a VMP?

Start with the NIST cybersecurity framework. If you really peel back the onion on the cybersecurity framework, it’s not about telling you that you must have VPN, or a password that’s 12 pages long and you must change it every 90 days. It’s a tool for you to start getting your organization to ask questions.

For example, how do we feel about this type of vulnerability and how are we doing perimeter management? How are we securing PII and things of that nature?

So if I were going to start anywhere, it would be the higher level of the NIST cybersecurity framework. And then once you’ve gone through that, you can score yourself on where you are risky and where are you not risky. Are you doing patch management and are you rolling it out at the appropriate time?

Then you’ll hopefully have a grasp on the posture of your risk tolerance and can find a program that works for your organization.

That’s where I think the VMP falls into place. If your risk tolerance isn’t matching up to your perceived level of protection, then you need to start looking into how to protect yourself.

Essentially, you need to ask yourself how to best assess your vulnerability management to ensure that you can put your head on your pillow and sleep at night.

Read: NIST CYBERSECURITY FRAMEWORK: FIRST, SEE EVERYTHING

Why is it important for an organization to have a VMP?

Without a VMP, it would be difficult for an organization to determine its posture on cybersecurity risk.

Because without the vulnerability management program, everything else becomes a shot in the dark.

Which elements are a must to include in your VMP?

I can’t stress enough the importance of training everyone connected to the organization, which includes full-time employees, contractors, receptionists, and C-level staff.

But it is also critical to understand the true state of every device connected to your environment.

For instance: How out of date are the browsers being used in your networks? What are employees using multimedia software platforms for? What happened to that laptop that was issued two years ago to the employee who is no longer working for you?

Finally, include an “end of life” strategy for everything and review it regularly. It includes devices, software, cloud service providers, VMPs, etc. Don’t just assume that once you have started a program that everyone is on board and it will be executed properly tomorrow. It needs constant maintenance.

Which company departments should be involved in creating the VMP?

At a high level, to get the proper buy-in for a successful VMP you need stakeholders from HR, legal, governance, IT Ops, security and the C-staff.  Buy-in needs to come from the top and demanded from everyone throughout the organization.

While you may not want frontline employees to dictate policy, getting them involved and encouraging feedback is important. You want a rational conversation where the company can find the right point at which employees feel less productive because of security measures. Once you find that line, you don’t want to step over it.

As long as you have that open dialogue, I think buy-in is easier.

What are the tangible benefits of having a VMP? 

There are three tangible benefits to having a VMP:

  1. Once completed, you will have a better understanding of your organization’s risk posture.
  2. You will be better prepared on how to react when — not if — you have a vulnerability that is exploited.
  3. Your organization can experience a sense of unity in coming together as a team to protect and defend against malicious actors.

What questions should CIOs ask themselves when creating a VMP?

You need to understand your environment.

Do you have a “Single Point of Truth” of the state of your environment? From BIOS up to the latest browser plugin? Can you logically group assets by location, by user role, by privilege?

All of these make it easier for IT Ops and Security to more quickly identify and isolate more critical issues than ones that are less likely to cause concern.

More questions: Is your outside sales organization using an older version of a VPN tool because their systems are regularly missing patch management events? Does this suggest a greater vulnerability than a computer sitting in a training lab with the same old VPN client installed?

Do you have users that are technically savvy enough to change a hard drive, boot from a USB device, or even try to circumvent existing processes to satisfy their own needs? Can you track that behavior today, and if not, how can you ensure that your data and the PII data that you are protecting is safe?

Is a VMP useful for small businesses?

A VMP is useful for all organizations, but it’s understandable to wonder how to get this kind of thing going with limited resources.

But when you think about it, I don’t think any company has enough resources to deal with these problems. Whether you’re a Fortune 500 or Fortune 1 Million you’ve got to make decisions and prioritize how you’re going to act. You still have to make that concerted effort to think about your tolerance to risk management and vulnerability management, and then assess how to prioritize to arrive at the key things that’ll make everybody sleep a little bit better at night.

How can technology help in creating a VMP?

With Absolute, we offer that “Single Point of Truth” that provides visibility into the (approved and unapproved) software on a device, and logically group those devices by location, role, type, software, BIOS and more — to help your organization better understand how the device is being used. Absolute provides visibility and resilience for every endpoint with self-healing endpoint security and always-connected IT asset management to protect devices, data, applications and users — on and off the network.

I want to start with the NIST Cybersecurity Framework. How do I begin?

The threat landscape has evolved, the attack surface has mutated, and everywhere you look, the cybersecurity skills shortage leaves more work to do than there are people to do it. As I mentioned before, the NIST Cybersecurity Framework is a great way to get the ball rolling.

Download our NIST CSF Implementation Overview whitepaper to learn how the NIST Cybersecurity Framework (NIST CSF) supports organizations who want to formalize their security discipline and scale their operations.