For firms that practice vulnerability scanning routinely and comprehensively, they are a giant step ahead of those that do not. Congratulations if you are scanning champion!
Yet, your responsibility does not end with conducting vulnerability scans. Scanning results without context and a coordinated action plan is an incomplete risk management process. As a scanning champion, you know this already. But what you may not know is what tool can assist you in completing a closed-loop process and, of equal importance, drive productivity improvements.
There’s no black box magic here. The tool I’m talking about is integrated, process-oriented visibility. A lot to unpack here, so let me elaborate by highlighting what you want this tool to show and how you can benefit.
Naturally, scanning results must be organized.
How the scanning results are organized is a matter of preference, but options are good. Of the options, sorting and filtering results by asset type and vulnerability severity is a good start. More is better. For example, even if your experience allows you to quickly identify the most critical business assets, the ability to classify and group assets by business criticality goes a long way in prioritizing remediation efforts with others.
How do we stack up?
Everyone has a boss and most bosses will ask: (1) how are we doing relative to other firms in the same industry (no one wants to be below average), and (2) is our risk posture improving (sinking or treading water is career limiting). On the first item, an objective grade (just like in school – A down to F) relative to peers is a useful means to convey a snapshot view. Also, if a grade is unsatisfactory, you want drill-down capabilities to understand why and guidance on how to push the grade upward—again, just like in school but without the stigma of inferiority. On progress tracking, history is the barometer. Date stamps when a vulnerability was identified, when remediation was completed, and when remediation was verified (i.e., re-scanned). While simple in concept, workflow integration is the glue to making progress tracking real. Also, sorting and filtering by severity and progress will allay fears of something important falling through the cracks. Finally, routines are truly only routine if they are automated. Policies to automatically and conditionally trigger scans makes vulnerability scanning work for you rather than you working vulnerability scanning.
We don’t know what we don’t know.
Alas, the life and times of anyone in the fast-changing cybersecurity profession. Even if you are in command of all the cybersecurity tools you oversee, can you answer with confidence that your vulnerability scanning aligns with applicable regulations and changes in those regulations or your firm’s circumstances (e.g., moving from Level 3 to Level 2 in PCI compliance)? No reason to fall on your sword; leverage the regulatory knowledge of your vulnerability scanning provider.
As scanning provides a view into what vulnerabilities exists. Another layer of visibility into context and workflow integration is also necessary. Best to keep that in mind as you assess how your process of vulnerability scanning meets your risk management objectives.