Vulnerability management (VM) is a crucial aspect of cybersecurity, yet it’s often mired in traditional practices that don’t always align with the evolving threats and complexities of modern networks. The traditional severity-based model, while foundational, often falls short in addressing the nuanced threats faced by modern organisations. This realisation has prompted a shift towards a more strategic, risk-focused vulnerability management (VM) methodology. Drawing from my experience overseeing the security for roughly 20,000 assets across various clients, this post marks the beginning of a series aimed at exploring the intricacies of an effective VM strategy that prioritises real-world risk over theoretical severity.

The Journey from Severity to Risk

The genesis of this evolved approach was born out of necessity. Initial resistance from clients towards implementing recommended patches highlighted a glaring issue: not all vulnerabilities are created equal, nor do they pose the same level of risk to every organisation. It became evident that a one-size-fits-all, severity-based approach was inadequate for the complexities of my customer’s environments.

A Roadmap to Risk-Focused VM

This series will guide you through the critical components of a risk-focused VM strategy, starting with the development of a robust risk management framework. My upcoming post, “Crafting Your Risk Management Framework” will delve into establishing a framework that aligns with your organisation’s risk tolerance and objectives.

Subsequent posts will cover essential aspects of this approach in detail:

• Asset Categorization in Vulnerability Management: Learn how to identify your digital crown jewels by categorising assets based on their exposure level, paving the way for prioritised remediation efforts.
• The Role of Risk Owners and Remediation Teams: This article will emphasise the importance of assigning risk owners and establishing remediation teams to streamline the process.
• Rethinking CVSS: Explore the limitations of CVSS scores and the advantages of incorporating KEV and EPSS scores for more accurate prioritisation.
• Executing a Targeted Remediation Plan: From leveraging the KEV list to creating actionable plans, this post will guide you through the process of focusing on vulnerabilities that pose the most immediate risk.
• Predictive Vulnerability Management: Discover how the EPSS score can help predict which vulnerabilities are most likely to be exploited in the near future.
• Staying Ahead of the Curve: Understand the significance of continuously monitoring CVE exploitability changes and adjusting your remediation priorities accordingly.
• Beyond NIST: This article will advocate for diversifying sources beyond the NIST NVD to gain a more accurate understanding of vulnerabilities.
• Communicating Vulnerability Risks: Learn strategies for effectively conveying the significance of vulnerabilities to risk owners in terms they can understand.
• Managing Residual Risk: Our series will conclude with a discussion on the realities of residual risk and strategies for managing it within your VM program.

Moving Forward

Adopting a risk-focused approach to vulnerability management is not merely a change in tools or processes; it’s a fundamental shift in mindset. By prioritising tangible risks and effectively communicating them to stakeholders, organisations can enhance their security posture and build a more resilient digital environment. Stay tuned as we explore each facet of this approach, providing insights and practical advice to navigate the complexities of modern vulnerability management.

Adam McHugh

+ posts

• From Vulnerable to Vigilant: Transforming Vulnerability Management Processes
• Managing Residual Risk: Understanding the Limits of Vulnerability Management
• Communicating Vulnerability Risks: Translating Technical Jargon into Business Impact
• Beyond NIST: Diversifying Sources for Accurate Vulnerability Context