What is Risk-Based Vulnerability Management?

In today’s digital world filled with proliferating devices and escalating cyber risks, organizations across the globe are searching for the best way to manage threats and vulnerabilities. Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.

Regardless of which risk-based vulnerability management steps the enterprise puts in place, the overall objective is to achieve some degree of cyber-resilience by understanding the company’s security posture, identifying vulnerabilities, prioritizing actions, and setting to work mitigating those threats that pose the most serious risks to the organization.

Working toward cyber-resilience

As the newest emerging vulnerability management goal, cyber-resilience refers to an entity’s ability to use vulnerability assessment and vulnerability management to continuously deliver intended outcomes despite an ever-present wave of adverse cyber events.

Risk-based vulnerability management programs are aimed at addressing the security weaknesses that are inherent in software, devices, and IT infrastructure. These are the kinds of vulnerabilities that create opportunities for cyber-criminals and other adversaries to exploit weaknesses, and they may result in unauthorized access to a system or network, access to or theft of confidential data, or damage to valuable digital assets. Exploited vulnerabilities and breaches inevitably lead to regulatory problems, financial losses, and reputational impacts to the business.

Key risk-based vulnerability management strategies

If risk-based vulnerability management is aimed at detecting, removing, and controlling the inherent risk of vulnerabilities to an organization, then vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk. These can stem from unpatched operating systems, or programs and apps running old software versions, or siloed applications plugged into a modern network. They can also include users who might bring infected devices into the network or share sensitive data inappropriately.

4 basic risk-based vulnerability management building blocks

  1. Visibility into everything (all assets) on the network or in the environment – managed and unmanaged (BYOD) devices, apps, users, and data.
  2. Scanning and monitoring across a broad range of attack vectors for each asset.
  3. Prioritizing results based on context – for each asset, this means knowing how critical it is to your business (the value of the asset); how vulnerable it is (the severity of the vulnerability); any existing security controls already in place; and any ongoing global threats.
  4. Guidance on the best approach as you work to mitigate identified vulnerabilities.

Food for thought …

As IBM CEO Ginni Rometty recently declared, “We believe that data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber-crime, by definition, is the greatest threat to every profession, every industry, every company in the world.”

Risk-based vulnerability management best practices

Scanning the network for vulnerabilities or deploying multiple tools against the “threat of the week” as a one-size-fits-all approach no longer aligns with reality. Mobile and IoT devices often operate under the radar for such security tools, as do public cloud resources, software-as-a-service applications, and industrial control systems.

So what approach makes the most sense, and how do you maintain accurate, real-time visibility across your dynamic attack surface?

  • You can’t secure what you can’t see. Network visibility is critical to removing security blind spots, and this means being able to “see” all endpoints and traffic that traverse the company network, even extending into the public cloud.
  • With everything digital and cybersecurity threats so widespread, it’s crucial for organizations to have full visibility into all of its digital assets and understand the risks associated with them.
  • Vulnerability management needs to be a proactive (not a reactive) program that covers the entire ecosystem, securing an organization’s network, data, devices, and users.
  • Vulnerability management needs to continually scan, monitor, and evolve across a broad range of attack vectors.
  • Vulnerability management needs to help you understand and prioritize the risks to every network, device, user, and asset, so that you can focus your efforts on the most important things.

In short, the best vulnerability management programs are designed to defend and protect the entire ecosystem, continuously vigilant, proactive, and resilient as the threat landscape evolves over time.

Frequently Asked Questions

What is risk-based vulnerability management?

Risk-based vulnerability management is the process of detecting, removing, and controlling vulnerabilities based on the risk they pose to your organization. Risk-based vulnerability management provides complete visibility of your attack surface by automatically and continuously identifying your security weaknesses so you can prioritize remediations based on risk criticality and business impact. With a risk-based vulnerability management program, security teams can manage risk at scale and avoid wasting time fixing vulnerabilities that pose little or no threat to their organization.

How can you manage vulnerabilities?

To manage vulnerabilities, you need to start with an accurate inventory of your different asset types: managed and unmanaged, IoTs, infrastructure, on-premises and in the cloud, fixed and mobile, containers, and BYOD devices. With visibility of your entire network, you can identify vulnerabilities due to attack vectors for each asset, and prioritize them based on how critical your asset is to your business, the severity of the vulnerability, any existing controls already in place, and any ongoing global threats. Armed with this information, your security team will be better equipped to remediate vulnerable assets in an efficient manner.

What is the difference between risk and vulnerability?

Risk is the potential for loss or damage of an asset caused by a cyber threat. An organization’s risk can fluctuate due to external and internal environmental factors and incorporates the probability of a negative event and the impact it will have on your infrastructure. A vulnerability is a gap or weakness in your infrastructure or IT security efforts that open you up to potential threats or increased risk. These vulnerabilities can stem from unpatched operating systems, programs and apps running old software versions, or siloed applications plugged into a modern network, as well as from users who might bring infected devices into your network or share sensitive information.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility