How to create an effective vulnerability management program


In this article, you will get all the information regarding How to create an effective vulnerability management program

dated: 2022-11-19 19:58:58 .


In order to effectively manage weak points in your company, it is worth going through a few preparatory steps. First of all, it is necessary to assess the IT infrastructure and current information security processes, identify the most dangerous types of vulnerabilities, determine the areas of personnel responsibility, etc. Let’s find out what questions you need to answer before starting a vulnerability management program in the implementing organization.

Software vulnerabilities, configuration errors, and unrecorded IT resources exist in every company. Some of these problems are more dangerous from the perspective of information security, others less so. But in any case, they open the way for attackers to enter the company’s internal infrastructure. You can reduce the number of potential and existing cybersecurity threats by building a vulnerability management program. This is a process that consists of several important steps:

  • Regular infrastructure inventory
  • Vulnerability scanning
  • Processing of scan results
  • Vulnerability removal
  • Control of the implementation of the aforementioned works

As mentioned above, you cannot run a vulnerability management program “on the fly”. First, you need to do your “homework”: assess the existing infrastructure and information security processes, understand how well trained the staff is, and choose a scanning tool and method. Otherwise, vulnerability management and vulnerabilities exist separately.

Evaluation of information security processes in the company

The first step to effective vulnerability management is an assessment of business and information security processes. The organization can do this itself or hire an external auditor.

When evaluating the information security process, it is worth answering the following questions:

  • Is there a process for centralized control of all IT assets of the company and how effective is it?
  • Is there a procedure currently in place to find and fix software vulnerabilities? How regular and effective is it?
  • Is the vulnerability control process described in internal information security documentation and is everyone familiar with these documents?

Let’s assume that the answers to these questions do not correspond to the real situation in the company. In this case, the assessment will turn out to be inaccurate and many errors will appear in the implementation or improvement of the vulnerability management program.

For example, it’s common for an organization to have a vulnerability management solution, but it’s either not configured correctly or doesn’t have the expertise to manage it effectively.

Formally, vulnerability management exists, but in reality a part of the IT infrastructure is invisible to the tool and is not scanned or the scan results are misinterpreted. These misunderstood interpretation results must be resolved in companies.

Based on the results of the audit, it is necessary to create a report that clearly shows how the company’s processes are designed and what shortcomings they currently have.

Selecting a scan tool

There are several ways to implement vulnerability management today. Some service providers offer self-service and simply sell the scanner. Others offer professional services. You can host scanners in the cloud or on corporate perimeters. They can monitor hosts with or without agents and use various data sources to populate their vulnerability databases.

At this stage, it is necessary to answer the following questions:

  • How is the organization’s IT infrastructure structured and how specific is it?
  • Are there regional peculiarities in the company’s work?
  • Are there many remote computers?
  • Does the company have qualified experts to maintain the scanner?
  • Does your budget allow you to purchase additional software?

Liaise between information security and IT teams

This is perhaps the most difficult stage, because here it is necessary to properly build the interaction of people. Typically, security professionals in an organization are responsible for information security, and the IT team is responsible for remediating vulnerabilities. It also happens that IT and information security is the responsibility of a team or even an employee.

However, this does not change the approach to the distribution of tasks and responsibilities, and sometimes at this moment it turns out that the current number of tasks exceeds the power of one person.

As a result, a consistent and synchronous vulnerability remediation process should be established. To achieve this, criteria must be defined for the transfer of information about discovered vulnerabilities from the information security team to IT (ie a one-size-fits-all method of data transfer).

In fact, the biggest problem is the lack of a good analyst who can competently review news sources and prioritize vulnerabilities. News, security bulletins, and vendor reports often indicate which vulnerabilities should be fixed first. In my experience, analysts should focus on the most dangerous vulnerabilities. All other work should be done automatically by processing the patches you received from the software vendor.

Some types of vulnerabilities (Malwarefox dotcom; zero-day attack) and attacks are difficult to detect. In order to effectively control all processes, at this stage of building a vulnerability management program, you need to discuss and agree on KPIs and SLAs for the IT and security teams.

For example, for information security it is important to set requirements for the speed of detecting vulnerabilities and the accuracy of determining their importance, and for IT for the speed of remediating vulnerabilities of a certain severity.

Implementation of the vulnerability management program

After assessing the efficiency and availability of processes, deciding on a scanning tool, and managing how teams interact, you can begin implementing a vulnerability management program.

At the initial stage, it is not recommended to use all functional modules available in the scan tool. Previously, if there was no constant vulnerability monitoring in the organization, information security and IT teams were most likely to encounter difficulties. This can lead to conflicts and non-compliance with KPIs and SLAs.

It is better to introduce vulnerability management step by step. You can go through the entire vulnerability management cycle (inventory, scan, analysis, remediation) at a slower pace. For example, scan the entire infrastructure once a quarter, and business-critical segments once a month.

In about half a year, your teams will be able to “work together”, find and fix the most critical vulnerabilities, understand the obvious flaws in the processes and provide a plan to eliminate those flaws.

In addition, you can hire external experts who will significantly reduce the routine work of the company’s full-time employees. For example, a service provider may be involved in listing and scanning and processing the results. The service approach also helps managers plan work and monitor progress.

So, for example, if the vendor’s report shows that the vulnerabilities found during the previous scan have not been fixed, the manager, after looking at the SLA of his employees, will understand that either the information security department does not have time to transfer the data scan, or the IT team does not have time to fix the identified problems.


When developing a vulnerability management program, an organization may encounter the following errors:

  • Overestimating current processes and their effectiveness within the organization.
  • Misjudgment when choosing a scanning method and tool. This happens because some experts choose a scanner based on subjective judgment or “as directed” without proper process evaluation and analysis. If full-time employees do not have enough experience and skills, it is better to choose a provider of scanning, analysis of results and remediation of vulnerabilities.
  • Lack of delineation of responsibilities between information security and IT teams.
  • Implementation of everything at once. “We will regularly monitor all servers, workstations and clouds. We will also focus on ISO 12100 and PCI DSS. We will install a patch management solution and John will control everything.” Such an approach is dangerous. In a month John will be arguing with IT, and in three months he will quit his job. The process was recognized as ineffective and forgotten until the first cyber security incident.

Therefore, it is better to first “lay the foundations” and only then start building a vulnerability management program.

Featured image credits: Christina Morillo; pixel; Thank you very much!

Alex Wakulov

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He writes for numerous technology publications and shares his security experiences.


How to create an effective vulnerability management program

For more visit

Latest News by


Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *