Turn tedious cybersecurity tasks into business enablers

Vulnerability management: From Routine Task to Strategic Shield 

Vulnerability management involves the practice of scanning, assessing, prioritizing, and patching security vulnerabilities before they are exploited. It may not be the most exciting aspect of cybersecurity, but its proactive nature makes it a fundamental one. While organizations often focus on Detect & Respond mechanisms, you also need Assess & Prevent for effective security. This can be compared to physical security, where you need both a burglar alarm (Detect & Respond) and a lock (Assess & Prevent). 

Outdated systems that have not been patched for the latest vulnerabilities are easy targets for cybercriminals. When cyber risk intelligence company Bitsight analyzed ransomware incidents, the results were clear:  

Organizations with a poor patching frequency were 7 times more likely to be a victim of a ransomware attack compared to those with higher patching frequencies. 

Discovered vulnerabilities typically get a unique CVE (Common Vulnerabilities and Exposures) identifier and are then rated for severity using systems like CVSS (Common Vulnerability Scoring System) or Tenable’s VPR (Vulnerability Priority Rating). 

Many CISOs believe that each newly discovered vulnerability requires immediate patching, but this approach may not be the most efficient use of organizational resources. In recent years, only about 2% of new CVEs have been exploited annually. However, examining cumulative figures reveals that approximately 6% of all published CVEs have been exploited in the wild as of 2024, according to Cyentia’s report “A Visual Exploration of Exploits in the Wild.” This indicates that cybercriminals target not only recent vulnerabilities, but also older ones left unpatched by organizations. 

The Shift to Risk-Based Vulnerability Management 

These statistics suggest that strict SLAs dictating rapid vulnerability remediation should transition to a more nuanced, risk-based approach. Aside from considering the CVSS and/or VPR scores of a vulnerability, you should also evaluate the context of the affected systems: for example whether they are internal or external, whether they host critical services, and when is the next patching cycle. This approach prioritizes addressing the vulnerabilities that are most likely to have a critical business impact. 

Effective vulnerability management begins with asset management using a CMDB (Configuration Management Database), so you know you’re covering all systems with your scans (both on-premise and cloud, as well as IT and OT systems). You then need to combine vulnerability scores with contextual information about the assets to create a risk-based prioritization (like previously mentioned, location and criticality). This should all be part of an organization-wide process, with continuous scanning to transition from reactive patching to proactive risk mitigation. 

Compliance management: Beyond Checklists, Toward Continuous Assurance 

Compliance management is a practice for organizations to meet regulatory requirements, industry standards, and best practices. In the cybersecurity domain, this means scanning IT systems for configuration settings, investigating them, and then correcting or hardening these configurations to meet established requirements. 

Typically, this is accomplished using CIS (Center for Internet Security) benchmarks. These are configuration baselines that implement best practices for securely configuring various product families, such as Windows or Linux operating systems for servers, but also application-level configurations such as for web servers and database servers. 

Similar to vulnerability management, effective compliance management also begins with asset management using a CMDB. Identifying all assets within your IT environment is essential, after which you can assign a baseline to each asset for a configuration that it has to adhere to. Only then can you ensure that scanning your IT environment using CIS baselines adequately covers all systems. 

Again, as with vulnerability management, identified deviations from baselines should be combined with contextual information about the assets to create a risk-based prioritization. After that, the CIS controls (defensive actions) with the highest priority should be implemented. This too should all be part of an organization-wide process, continuously monitoring the compliance state of the IT environment and ensuring all infrastructure components are hardened. 

Risk-based operations: The Hidden Efficiency Booster 

As this explanation makes clear, both vulnerability and compliance management start with asset management, benefit from contextual information to create a risk-based prioritization, and should be embedded into business processes. Integrating vulnerability and compliance management then offers clear operational benefits. 

These benefits arise from the following types of integrations: 

• Contextual risk insights: Both processes require a risk-based context for assets, such as assessing how critical a system is. So the same information can be used for both processes, and this should be documented in a CMDB. 
• Joint governance: Both processes require tracking progress from scanning and investigation to actions. They both use actionable metrics focused on improving SLA adherence. This is best implemented by embedding vulnerability and compliance management into business processes, ensuring every new asset is set up to adhere to the standards throughout its entire life cycle. 
• Unified observability: Developing one unified dashboard for both processes allows for a comprehensive view of your organization’s risks. 

Recent regulations like NIS2 also emphasize the importance of these integrated risk-based processes. If you need help streamlining your vulnerability and compliance management, feel free to contact us.