CISOs preach the need to get security fundamentals right, yet many still struggle to build a rock-solid vulnerability management program.

They can be stymied by the volume of vulnerabilities that need attention, or the pace required to address them, or the resources required to be effective.

Consider, for instance, the challenges that security teams had in addressing the Log4j vulnerabilities. A recent survey from (ISC)², a nonprofit association of certified cybersecurity professionals, found that 52% of respondents spent weeks or more than a month remediating Log4j.

Granted, the scope of the flaw is significant, but experts still say that the figure, along with other research and their own observations, shows many organizations are still maturing the processes they use to identify, prioritize, and fix security problems within the software they have.

The following best practices can help on that journey toward building an effective and efficient vulnerability management program.

Know your environment

Security experts stress the need for CISOs to have an accurate inventory of the tech environment they need to protect; this helps them know whether known and newly identified vulnerabilities exist within their technology stack.

That, however, remains easier said than done.

“Everyone says they have an inventory, but they usually need to go a little deeper. “They don’t know what’s running under the covers. That continues to be the biggest challenge,” says Jorge Orchilles, a certified instructor with cybersecurity training firm SANS Institute, CTO of security tech company Scythe, and co-creator of the C2 Matrix project. “We’re getting compromised on things we simply didn’t know we had.”

He says he has seen mature security operations account for the major components of their environment yet overlook smaller elements and the code itself, an oversight that can—and, in fact, has—left critical vulnerabilities unpatched.

Orchilles advises security leaders to ensure that they have a detailed record of their tech environment, one that includes all components such as programming libraries (something that proved essential for organizations patching the Log4j vulnerability). Moreover, he says CISOs must be diligent about updating that record “whenever you put a new system out there.”

Have a real program (not just ad hoc work)

Scanning for vulnerabilities and remediating any vulnerabilities that come up may seem adequate, but advisors say that ad hoc approach is both inefficient and inadequate.

For example, security teams could spend valuable time patching vulnerabilities that pose a limited threat to their organizations instead of prioritizing a high-risk issue. Or they get bogged down in other projects and postpone vulnerability management work until their schedules free up.

To prevent such scenarios, CISOs should have a programmatic approach to vulnerability management, one that incorporates their organization’s tolerance for risk as well as its processes for prioritizing, remediating, and mitigating identified vulnerabilities, says Bryce Austin, who as CEO of TCE Strategy serves as a cybersecurity expert, risk consultant, and fractional CISO.

The program should also establish how often the organization performs vulnerability scans, and it should include schedules tied to vendors’ patch release dates.

A good vulnerability management program should have defined processes and policies, a chartered team, and governance, adds Farid Abdelkader, managing director of technology risk, IT audit & cybersecurity services at consulting firm Protiviti and president of the New York Metropolitan chapter of ISACA.

Abdelkader also advises CISOs to determine what “good looks like” using key performance indicators that can show how well they’re performing, identify areas for improvement, and then indicate progress over time.

Moreover, organizations with mature vulnerability management programs have a process for reporting their activities to enterprise executives so that they understand the importance of the program as well as its track record, says Austin, author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.

That, he notes, helps ensure there’s effective oversight and that vulnerability management is treated like any other business risk within the organization.

Customize to the organization’s own risks

New vulnerabilities are constantly being identified. Combine those with the number of existing known vulnerabilities, and the volume of issues to be fixed becomes nearly impossible to tackle. So it’s critical to have a way to pinpoint the vulnerabilities that matter most and to prioritize remediation work, Abdelkader says.

“Understand the criticality of an incident. [Ask] what happens if there’s a breach? How does that impact the data? Or if systems go down? What kind of impact would that have to our business, our customers, or our reputation?” Abdelkader says. “Understand the true risk to those assets and the actual risk of those things happening.”

That work can be guided by the classifications—high, medium, low—offered by vulnerability scans, vendors, and other security outlets, but the process should account for the organization’s tolerance for risk, its technical environment, its industry, etc.

“The definition of critical must be interpreted,” Austin explains. “It has to be in the context of your company, of your critical assets and resources, your data, how much exposure a computer or system has to a critical threat.”

As he points out, a vulnerability present in an isolated, internal-only system poses a different level of risk than one in an internet-facing system; thus, each one should get a different level of prioritization for remediation that corresponds with its own risk.

That customization and prioritization based on an organization’s own risk profile doesn’t always happen, though, he adds. “I see a lot of vulnerability management programs start with a list of what the vulnerability scans find vs. what the critical risks to the organization actually are and what the company really cares about.”

Revisit risks and priorities

Establishing the organization’s risk tolerance as well as creating a process for prioritizing work are both essential for a strong vulnerability management program. But those tasks can’t be viewed as one and done.

They should be revisited at least annually as well as anytime there’s a major change within the organization or its IT environment, Austin adds.

Use frameworks, systems

No need to reinvent the wheel to help with all the vulnerability management tasks, because various organizations have developed frameworks and other systems to aid CISOs in managing them, says Jon Baker, co-founder and acting director of research and development of MITRE Engenuity’s Center for Threat-Informed Defense.

“These provide ways for defenders to look at vulnerabilities and understand how an adversary might use them, so you can use them to prioritize vulnerabilities and your responses,” Baker says.

MITRE, for one, has its Common Vulnerabilities and Exposures (CVE) system, which since 1999 has provided information on publicly known vulnerabilities and exposures (just as its name states) as well as has associated specific versions of code bases to those vulnerabilities.

There’s also NIST Special Publication 800-30, which organizations can use for conducting risk assessments.

Then there’s the Common Vulnerability Scoring System (CVSS), an open framework that organizations can use for assessing the severity of security vulnerabilities so they can be prioritized according to the level of threat.

MITRE also has its ATT&CK framework (which leverages CVE) that organizations can use to prioritize the vulnerabilities that need their attention as part of a comprehensive threat-informed defense strategy.

Consider vulnerabilities introduced by direct suppliers, third parties

As CISOs know, the Log4j vulnerability was so problematic in part because the Log4J tool is so prevalent, existing in so many applications developed by both enterprise IT teams and by software vendors.

That threat, which surfaced in late 2021, also made clear to CISOs the need to understand, assess, prioritize, and mitigate vulnerabilities that exist within their vendors’ products and/or are introduced by third parties, Baker says.

He acknowledges that enterprise security teams run into challenges here, as enterprise security often may not know what vulnerabilities exist within vendor solutions and may not even be able to run vulnerability scans on those systems.

“We really lack transparency into the code and tools that are leveraged by the systems we rely on,” he says, noting that the software bill of materials (SBOM), the list of components in a piece of software, can provide some visibility in some cases.

Baker says he advises CISOs to review the agreements that they have with vendors in regards to the vendors’ role in managing vulnerabilities within their products and then, if necessary, seek to insert contractual language that limits the chances of a bug going unnoticed or unfixed.

“That’s part of your vulnerability management program: understanding how providers and third parties are tracking and prioritizing and patching vulnerabilities,” he says.

Establish checks and balances

Another best practice: Don’t assign vulnerability management to the IT team. Rather, security experts say the CISO should have a dedicated individual or team tasked with identifying vulnerabilities and prioritizing fixes as well as overseeing execution of remediation and mitigation.

“They need someone working in healthy tension to the teams doing the actual patching, because it is too easy for the infrastructure people whose job is going to be made harder by doing more patching, not less, to be rigorous with the vulnerability scans [and the follow-up work]. It’s just human nature,” Austin says. “Any self-policing function is much, much more vulnerable to apathy or, worse case, corruption. You need checks and balances.”

Others agree, noting that CISOs can opt for a managed security service provider (MSSP) to run its vulnerability management program and then work with internal infrastructure, engineering, and/or devops teams to execute the patches and handle any needed downtime and required testing.

Invest in tools, teams

Security experts stress that effective vulnerability management, like all else in security, needs the right people, processes, and technology.

They note that many organizations have pieces of all those but don’t always have all three working effectively together. For example, security teams typically have scanning tools but may not have introduced the automation needed to efficiently handle the workload, Baker says.

Moreover, Orchilles says CISOs and their organizations must commit to providing the resources required to make those teams successful “so it’s not a fire drill every month.”

Yes, he says, it might seem intuitive but such advice isn’t always followed. For example, he has seen CISOs invest in a new tool but not the staff needed to run the technology, the training needed to maximize its use, and the change management required.

“Tools won’t work without all the rest of that,” he adds.