Vulnerability Risk Management

Vulnerability assessment is the process of identifying, quantifying and prioritizing vulnerabilities in the software, hardware, cloud, and on-premises assets that make up an organization’s attack surface.

Vulnerability management is the operational practice of identifying, classifying, remediating and mitigating vulnerabilities across an organization’s attack surface.

Risk-based vulnerability management is the process of prioritizing, remediating and reporting on vulnerabilities based on the risk they pose to the business.

Traditional vulnerability management lacks the business context and threat intelligence to prioritize vulnerabilities based on the risk they pose to the specific business.  Too often, vulnerability management programs rely solely on CVSS scores or scanner results to assign a priority, leaving security teams drowning in vulnerabilities and application and operations teams frustrated by chasing down and fixing vulnerabilities that don’t matter.

The objectives of a vulnerability risk management program are to identify, prioritize, communicate and remediate only the vulnerabilities that matter to the business.

A well-run risk-based program delivers the following benefits:

• Clear communication about the risk posed to the business by vulnerabilities across the attack surface. This communication needs to be in the language of the business and relevant to security, technical and business audiences.
• Prioritization that understands the business and provides transparency into why a particular vulnerability was prioritized.
• Streamlined remediation provides technology teams responsible for fixing vulnerabilities with the information they need in the tools they use in their daily workflow.

A risk-based approach enables the business to reduce the right cyber risks fast, while minimizing business disruption.