There is always a race between evolving threats, risks and ways to mitigate them. Adopting a comprehensive approach to risk management is also crucial to safeguarding organizational crown jewels and maintaining operational resiliency. Central to this approach is the integration of a robust vulnerability management lifecycle within the broader Enterprise Risk Management (ERM) framework. Vulnerability management should be a key aspect of an organization's risk management or ERM framework. However, many organizations still struggle to implement comprehensive vulnerability management strategies due to financial constraints.
Effective vulnerability management does not have to be expensive. Organizations can build a strong vulnerability management lifecycle without expensive tools by leveraging existing resources, optimizing internal processes and fostering a security-aware culture.
This blog post explores the importance of integrating the vulnerability management lifecycle into ERM, outlines the key lifecycle components, quantifies risks using metrics and provides actionable insights for effective implementation.
Let’s first understand the Vulnerability Management Lifecycle. It consists of several key phases:
- Identify - Vulnerabilities can be discovered through various methods, including scanning tools, penetration testing, configuration reviews or manual assessments. Some of the key metrics in this phase are:
- Total vulnerabilities identified within a period (weekly/monthly/yearly)
- Assets coverage (scanned vs. total assets)
- Mean time to detect (MTTD)
How can these metrics be linked to risk management?
These metrics can help organizations understand their overall exposure levels and attack surface. This can serve as a starting point for building their risk inventory.
- Assess – Without automated tools to assess priorities, there are cost-effective ways to achieve it. Though it's a good indicator, CVSS scores should not be the only factor for prioritization. Organizations should consider contextual threat intelligence and risk impact. For example, if a vulnerability has a low CVSS score but is actively exploited, it should be prioritized for remediation. Some of the key metrics from this phase would be:
- Percentage of exploitable vulnerabilities (linked to known exploits)
- Vulnerabilities affecting the crown jewels
- Business Impact Score: The Business Impact Score is a qualitative risk rating based on operational impact
- Percentage of emerging threats tracked against your critical assets
- Vulnerability patch response times defined in the vulnerability management policies
- Threat intelligence correlations
How can these metrics be linked to risk management?
The metrics in the “assess” phase can help organizations get a risk-based view of vulnerabilities, allowing leadership to focus on business-critical exposures.
- Remediate - The organization should remediate all prioritized vulnerabilities through patch management or other relevant mitigation strategies during this phase. Some of the key metrics can include:
- Mean Time to Remediate/Resolve (MTTR): This metric indicates the time elapsed between detecting vulnerabilities and their remediation
- Patching success rate: This metric measures the effectiveness of the patch management process
- Remediation rate by severity: This indicates the percentage of vulnerabilities remediated based on their severity level (High, Medium, or Low)
- Exceptions and deferred vulnerabilities: All vulnerabilities postponed due to business or system constraints
How can these metrics be linked to risk management?
This phase reflects on how an organization is effectively treating its known risks. For example, MTTR can be one of the KRIs (Key Risk Indicators) that shows that the organization is responding to known risks within acceptable tolerance levels and can help alert executive leadership about areas needing faster response times. Similarly, patching success rate aligns with compliance assessments such as ISO 27001, NIST, etc., and provides assurance that remedial efforts are reducing risk exposures.
- Verify - Once the prioritized vulnerabilities are remediated, verifying and retesting them is imperative. The methods listed in Phase 1 (Identify) can achieve this. Key metrics can include:
- Retest/rescan pass rate: percentage of remediated vulnerabilities that pass the rescans/retests
- Reopened vulnerabilities: number of vulnerabilities that re-appear after being marked as remediated
- Security configuration compliance relates to the number or percentage of systems adhering to security baselines such as ISO 27001, CIS, etc.
- Percentage decrease in vulnerabilities over a period of time
How can these metrics be linked to risk management?
The metrics in the "verify" phase can help organizations have an audit trail for security improvements and compliance tracking.
- Report & Improve – Maintain records and refine processes. Key metrics can include:
- The percentage of vulnerabilities meeting compliance standards, such as ISO 27001, PCI DSS, and NIST, can help organizations understand what needs to be achieved to meet the compliance standards
- Remediation budget vs. reduction in vulnerabilities - Organizations can use this to evaluate the return on investment for their vulnerability management efforts
How can these metrics be linked to risk management?
These metrics can help risk leaders and CISOs justify security investments and demonstrate risk reduction and compliance to executives and/or the board.
Linking each vulnerability to its impact on business objectives is a straightforward approach to prioritizing remediation and inferring the risk to the organization. By integrating the metrics from vulnerability management into Enterprise Risk Management, organizations can enhance their risk-based decision-making, reduce security exposure and improve overall cybersecurity resilience.
Author’s note:The views expressed in the article are mine and do not necessarily represent the views of my employer.
