Vulnerability management is business critical. There are serious economic and reputational consequences for companies that fail to manage software vulnerabilities. The good news is that solid frameworks already exist for doing so.
In our new PwC Switzerland white paper, we take a detailed look at the threats, the complexities that have to be addressed – and how organisations can respond to the risks without overstretching their financial and personnel resources.
Why is vulnerability management so important?
There are both intrinsic and extrinsic incentives to manage your software vulnerabilities properly. The intrinsic bottom line is that there are severe economic and reputational consequences for companies that fail to identify their software vulnerabilities and respond to them effectively.
Added to this are extrinsic factors such as industry best practices and a growing number of regulations requiring organisations processing sensitive data to implement risk-based vulnerability management.
So do we simply evaluate and buy the best vulnerability scanning software?
It’s important not to confuse vulnerability management with merely assessing or scanning for vulnerabilities. Vulnerability management isn’t just an aspect of IT hygiene. It’s an essential part of IT risk and compliance management, and key to establishing and maintaining trust in IT services. It also has to be seen as a cycle rather than just a static building block of your processes.
In the white paper we see how it’s possible to make vulnerability management an integral part of your IT governance framework to achieve a sustainable and mature security level by proactively identifying and remediating vulnerabilities, while at the same time complying with ever-increasing regulatory requirements.
The importance of a comprehensive, coordinated approach
The paper looks at a vulnerability management process consisting of three stages: prework, process integration and continuous improvement.
- Prework: Using IT governance as a foundation to identify what IT assets are in scope, and having clearly defined roles and responsibilities to establish and maintain ‘compliant data processing’
- Process integration: Viewing vulnerability management not as a new process, but as a different angle on IT monitoring, event management and incident response. This includes incident management for handling a critical vulnerability and managing compliance by defining technical standards and systematically monitoring adherence to IT standards
- Continuous improvement: Instead of aiming for the ‘perfect’ solution, starting small and quick, and improving over time by expanding scope and fostering automation
Prework: Defining the scope of vulnerability management, establishing IT governance with roles and responsibilities, having vulnerability management as an integrated process in IT service management, and evaluating sourcing options.
Identify: Setting up a central asset inventory and defining the right scanning method. Which assets should be scoped in? Which assets are critical IT assets that hold sensitive data?
Evaluate: Assessing the company-specific environmental characteristics: the context of the vulnerabilities on the asset; criticality and severity of the vulnerabilities; the risks that are relevant to the organisation.
Remediate: Addressing vulnerabilities once they’re found. How effective is the patch management process? Can compensating measures be applied via formal change management? Does the organisation accept the residual risk if patching is not available or possible?
Verify: Doing a timely rescan, periodic reviews and ensuring an escalation process is in place to deal with vulnerabilities.
Report: Communicating with the respective line of defence by means of stakeholder-specific reporting (dashboard overview).
Continuous improvement: Review the lessons learned, evaluating your risk appetite (risk tolerance), reviewing the maturity of the process, improving continuously by means of an automated process, and increasing maturity.
A complex but manageable challenge
The white paper also demonstrates how an effective vulnerability management set-up needs to go further than simply assuring recurring scans of vulnerabilities to cover process integration, IT governance and tooling – to source the appropriate tools and make sure they fit together and into the existing IT set-up.
Despite the complexity of the undertaking, best practices and frameworks exist to enable any organisation to implement the right vulnerability management set-up for its needs and circumstances. A workable solution is within reach.
What is vulnerability management?
Vulnerabilities are bugs that can be exploited by people with malicious intent to circumvent security controls and gain access to your systems and data.
The aim of vulnerability management is to identify and remediate known vulnerabilities and assess how able and mature your IT organisation is when it comes to applying security patches within a defined time objective. Vulnerability management is an ongoing process of identifying, evaluating, remediating, verifying and reporting vulnerabilities in IT systems and the software which runs on the IT infrastructure.