You’ve finally fought off the enough of the day-to-day issues that you can now focus on getting ahead of some of the security risks that you know are out there. You know that a ransomware attack or data breach could potentially cost millions. You know that these types of issues are preventable by implementing a Vulnerability Management program that can not only identify problems but can address them as well. However, you’ll need both organizational buy-in and financial investment to get started.
As a security professional, the hardest part of vulnerability management isn't the execution of the process. The hardest part is building an understandable business justification and strategy. From the viewpoint of security, the value for a process that can identify potential gaps in patching processes or misconfigured settings is easily conveyed. However, this may not be enough to communicate the value that a Vulnerability Management program has to the other organizational leaders who will need to sign off on investing money into time, technology, or people.
Start with a deep understanding of the costs
Despite the strategies that you will use to communicate the value of a Vulnerability Management program, you MUST know the costs. While it will be hard to precisely identify what the Return on Investment (ROI) will be, you should understand all the costs associated with a Vulnerability Management program. While I've listed a few basic areas of cost analysis below, you'll probably need to customize your cost-analysis based on the needs of your organization.
1 - Program Start-up and Implementation Costs
Formalizing the program is a critical first step to ensure that your Vulnerability Management program will be able provide long-term transformation of your organization. The costs at this stage may be as simple as accounting for the time you spend building a mission and charter that everyone within the organization can support.
However, as you progress, you’ll need to make sure you can estimate the level of effort that each team will need to be able to support the mission and charter. By defining your program’s roles and responsibilities, you’ll be able determine where and how many additional resources may be needed. Below is a list of activities that are important to setting up a Vulnerability Management program.
2 - Resource Costs
Building up a vulnerability management program will likely require additional resources within a security operations team to ensure you have the right number of resources both now and in the future as your program scales.
3 - Technology Costs
At the beginning of your vulnerability management program, you may be able to leverage manual processes to identify and treat vulnerabilities within your organization. However, these manual processes are not sustainable, and you will need to invest in technology solutions that can help you increase the velocity in which your program can operate.
4 - External Assessments
Third-party service partners can also be valuable input into your Vulnerability Management program and can help to provide targeted insight around gaps that may exist within your organization. These types of tests may be part of your organizational due diligence or part of your regulatory/contractual requirements.
These can be a lower cost option when your organization is budget conscious but still wants to ensure vulnerabilities are being identified and addressed. However, as a personal observation, the challenge with external assessments is that the results are often not tracked to completion within a remediation plan. This leads to potentially highlighting the same issues across multiple assessments which decreases the value of any future assessment.
5 - The Cost of Doing Nothing
While providing a comprehensive view of the costs that are needed to create (or improve) your program is valuable, you should also try to identify the potential losses that may occur if the organization does not move forward with a Vulnerability Management program. This will provide a more holistic view of your investment costs in the context of your environment. These costs are unique to each organization, but I've listed some examples below.
Approaches to obtain stakeholder buy-in
A Vulnerability Management program is easily the best program to protect your organization from security incidents by addressing the root causes. The reality is that the stakeholders that you will need to convince will probably have other initiatives that they are trying to accomplish. You might even be competing for the same budget.
The result is that you will need to identify ways that a Vulnerability Management program can improve other organizational programs, not just goals and objectives of the Security team.
Describe how it improves the whole organization
Here are some ways I've found that are helpful demonstrate how a mature Vulnerability Management program can improve the organization:
Develop a comprehensive understanding of the business - As multiple teams begin to coordinate remediation plans, all members will have a greater understanding of how technology assets support the delivery of business services. An example of this is a medical device that can only use a certain version or Java for it to function correctly.
Comprehensive asset inventory - Vulnerability scanners can help highlight assets that are missing from the organization's current asset inventory.
Identify gaps in operational processes - Identifying gaps in IT service management practices will ensure that you have the right processes to communicate and coordinate remediation across the organization.
Validate your compliance with regulatory requirements - Scans can be customized to identify PCI, PHI, or PII that may exist on systems that don't have the right regulatory controls.
Address fears or previous negative experiences
It’s very likely that the people you'll need to convince have a previous experience around Vulnerability Management. Sadly, there is a potential that their experience may not be positive and will require additional time working to assuage their concerns about how this will be different. Here are a few examples of concerns that may need to be addressed along with examples on how to combat these fears:
Fear of Outages - Define a process to identify systems that may be sensitive to being scanned (or attacked through a penetration test) and creating a secondary method to identify and resolve vulnerabilities.
Fear of False-Positives - Discuss how you can use additional information from your Asset Inventory (or CMDB) and patch management tools during the initial tuning process for any vulnerability scanning tools that are used.
Fear of Costs - Start by identifying a "do not exceed" budget that can help validate the success of a Vulnerability Management program. By selecting a specific business use-case problem, you can ensure the scope of your program is in-line with the level of investment your organization is comfortable with. You can also start with a proof-of-concept or assessment to validate the value of a vulnerability program before making significant investments. Some low costs example that you can start with are:
External network assessments - Identify vulnerabilities that are publicly accessible outside of the organization.
Program framework development - Define an effective process to resolve issues once they are identified.
Conduct a Security Awareness class - Communicate the cyber security hygiene areas like patching, phishing prevention, and password management that organizational users should be following.
Ultimately, you’re going to find that each organization is unique. Hopefully this has given you several ideas for different ways you can approach your organizational and find the funding you need to develop an effective Vulnerability Management program.