Have you ever thought about what kind of data/intelligence you may need with regards to vulnerability management? It tends to vary at levels of abstraction based on the audiance, but don’t think the person doing the patching may not be considernig upwards or that someone in a C level position won’t care about the zeros and ones (life doesn’t work that way!)

Anyway I was talking to a friend and came up with these so thought I’d share them with the world. Have I done a decent job? can you think of others? How do you measure and report? What are your concerns?

Let’s take a look at what I came up with (this wasn’t a very long time in the making 😉 )

Leadership

• What does my overall security posture look like?
• How does this look against risk e.g., CRITICAL/HIGH/MEDIUM/LOW?
• Do I need to do something immediately?
• How do I improve the situation over a period?
• Are we investing and getting good returns?
• What are the postures of critical services to my organisation?
• How likely is it that if a vulnerability was exploited, it could lead to a major cyber incident?
• How do leverage business support to improve vulnerability management throughout the lifecycle?

Management

• What are my teams’ priorities?
• How much effort is required?
• Where can achieve economy of scale? E.g., deploy once, fix many
• What vulnerabilities are being exploited and which are likely to be used in an active realistic negative impact delivering kill chain?
• How do I manage availability and schedule maintenance?

Security Engineer/IT Engineer/Developer

• What are my priorities?
• What explicit vulnerabilities and actions are needed per host?
• Where can achieve economy of scale? E.g., deploy once, fix many
• Which vulnerabilities impact platforms?
• Which vulnerabilities involve software library dependencies?

Summary

When you look at the security landscape it’s really broad and insanely deep, it’s easy to say “we do everything” but that’s largely not true in my experiance working with many many orgs across my career. Vulnerability management is often glossed over with a view that it’s a vulnerability scan… and my friends, it’s really not that. it’s so much more!