

To achieve cyber resilience, organisations must define and implement cyber strategies. These strategies consist of, among others, a vulnerability management program. The main objective of this program is to identify and remediate vulnerabilities. Simple, right?
It is not.
Inadequate planning makes the program challenging and leads to incomplete asset assessment, undefined roles and responsibilities, inability to scan some (usually highly vulnerable) assets, inappropriate remediation of identified vulnerabilities.
To implement and maintain an effective and sustainable vulnerability management capability, you should take deliberate measures before, during and after implementing the program. These measures include:
Develop a policy. The policy defines how to operate and manage the capability. Without it, the program is heading for failure. It must specify:
As it will guide stakeholders’ involvement in the program, it’s crucial to develop the policy collaboratively to ensure completeness and buy-in from these stakeholders. When completed and approved, you should communicate it (again) to all stakeholders.
Know Your Assets. An effective vulnerability management program must assess all assets for vulnerabilities and conduct remediation. To achieve this, you need information about assets – contextual information and asset criticality to the business.
Without knowing the assets and understanding their value, the vulnerability management program will be incomplete and ineffective. Therefore, it is important to maintain an inventory of assets and understand the asset value to the business to ensure the program is holistic and achieves the intended objective.
Partner with key stakeholders. Like any program, vulnerability management requires collaboration and communication with key stakeholders, including asset owners, IT operations and security teams. Without collaboration, the program will face challenges, including inappropriate risk mitigation decisions, insufficient people resources, inadequate remediation, and inability to track progress.
To be effective, you should identify and constantly engage the key stakeholders during the planning, implementation and eventually when in operation. This helps understand the challenges and to come up with solutions that ensure the program’s success.
Prioritise Remediation. It is practically impossible to remediate all the identified vulnerabilities within a short time frame regardless of the severity. This is due to the extensive number of systems the organisation has and their value to the business. Therefore, prioritising (and indeed planning) remediation is critical to the progress and success of the program.
However, prioritising is not easy as starting with vulnerabilities with the highest cvss score. Furthermore, this approach wastes time and effort on remediating vulnerabilities on low-value assets and leaving high-risk vulnerabilities existing on critical systems longer than required.
Effective remediation should prioritise vulnerabilities based on the risk posed to the organisation, not the cvss score alone. Other factors include the value of the assets, known exploits for vulnerability, exploitability, threat factors, similar vulnerabilities, location of the asset, vulnerability prevalence, vulnerability age, and whether vulnerabilities are associated with a compliance/regulatory requirement.
All stakeholders should agree on a risk-based approach that considers a combination of these factors before starting the program. With the agreed approach and remediation timeframes in place, stakeholders will work collaboratively to remediate vulnerabilities.
Measure progress. To monitor and report progress of the program, develop and use metrics. The metrics should track and report on asset coverage and remediation status as part of the regular reporting to the established governance structures and provide executives with insights into the program’s performance.
Conclusion:
Although remediating all identified vulnerabilities is the ultimate goal, It is not always possible in the short term – especially at the start of the program. To achieve cyber resilience, the vulnerability management program must prioritise and remediate vulnerabilities based on the risk posed to the organisation.
To achieve this, consider the above measures, develop and implement the plan using an agile, iterative approach to progressively build the capability end-to-end in quarterly sprints.
Also consider automating repetitive tasks like assessment, remediation prioritisation and status reporting to minimise the effort/resources required to operate the capability.