Why Is Vulnerability Management So Hard?

By Jeff Schroeder • July 16, 2015

What is it about Vulnerability Management (VM) that proves so difficult for organizations to implement and maintain? We continuously see companies stumble over some of the most basic principles of applying patches on any sort of routine schedule, much less identifying misconfigurations, policy noncompliance, or other issues within the environment. Organizations continue to do ‘check the box’ security in which they can honestly say “we perform vulnerability scanning” yet when you look at a vulnerability report, it has thousands, if not tens of thousands of vulnerabilities dating back years (and in some cases a decade or more). They don’t have a program, they have a tool.

“99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”

In the most recent Verizon Data Breach Investigation Report, they found that “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”  Let that sink in, 99.9% of the exploited vulnerabilities could have been potentially avoided had these organizations maintained a vulnerability management program. If I’m a CISO, those are metrics that matter. Security as a whole is notoriously difficult to measure, VM however, should be an easy sell.

The 3 Entities That Drive Successful VM Programs

1: Processes

Processes aren’t any good if you don’t have the people for implementation and people are useless when they have no direction. Security should work with the business to build a process with realistic expectations and goals. Don’t set yourself up for failure by being overzealous. Establish a process with the organization and work to mature it over time.

2: People

That maturity of the organization’s process will take people, dedicated people. Maybe it’s one, or maybe it’s ten. There is no magic number, but I do emphasize the word “dedicated”.  The Security Analyst, George, who monitors the SIEM and manages the IDS sensors can’t also be your sole VM resource. You have to staff appropriately.

3: Technology

The technology piece maybe the easiest of all three drivers. There is a slew of vendors and tools available, you just have to research and pick the one that fits your environment (and budget) the best.

How Can CyberSheath Help Your Organization?

Ultimately, these three entities work in unison and fail when any of the three go missing, but VM isn’t a lost cause. While we continuously see organizations that have failed in the past, those same organizations are now asking what they need to do to be successful in the future. While there’s no overnight, turnkey solution that fixes years of neglect, CyberSheath has successfully helped numerous organizations, both large and small, implement a successful VM program that produces meaningful metrics and helps reduce risk within the environment. Whether it’s vendor/tool selection, policy or process, and procedure documentation, or just assistance in providing those dedicated bodies in the form of a managed service, CyberSheath has experience in it all.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO