/* ---- Google Analytics Code Below */

Friday, May 18, 2018

Introducing Vulnerability Management

The specific term is new to me, but have worked the risk management direction for a long time.  At the link much more including the references mentioned.

We Scan and We Patch, but We Don’t Do Vulnerability Management  by Anton Chuvakin  in Gartner

Lately, we’ve been flooded with calls about vulnerability management (VM). Many of the calls seem to be from organizations of medium to low security operations maturity, that are just starting with vulnerability management [and that’s OK – a wise mentor once told me ‘always remember that ‘90% of people are not in the top 10 percentile!’” :-)]

Many of them say something similar to “we scan and we patch, but we don’t do vulnerability management.” Essentially, they are coming to a realization that I often like to summarize as “VA is easy, but VM is hard.”

Of course, we have a lot of excellent research written on this topic:

“A Guidance Framework for Developing and Implementing Vulnerability Management” (39 pages of juicy VM stuff!)
“How to Implement Enterprise Vulnerability Assessment”
“A Comparison of Vulnerability and Security Configuration Assessment Solutions”  ... "

No comments: