
Three Components to Include in Your Threat and Vulnerability Management Program
Written by CISOSHARE
June 11, 2018
25 min read
Cybersecurity breaches are a constant risk for every organization. In addition to being an inconvenience to businesses, their clients, and negatively impacting their reputation, they’re incredibly expensive. Although the cost varies from one organization to the next, the 2017 Ponemon Cost of Data Breach Study estimates that the global average cost of a breach is $3.62 million.
In the U.S., the average cost of a breach is approximately $7.35 million, or an average of $255 per compromised record. Companies that have over 50,000 records compromised could incur costs of over $10.3 million.
It’s important to have processes in place so your organization can address incidents and breaches. Preventing these breaches in the first place, however, should be the foremost priority.
Threat and vulnerability management programs should help an organization work to prevent incidents and breaches. They can also help organizations preserve the confidentiality, integrity, and availability of an organization’s client information and essential data.
Threat and vulnerability management programs not only mitigate the risk of an information security breach; they are also required for compliance with many regulatory requirements.
The Three Major Activities in a Threat and Vulnerability Management
In order for a threat and vulnerability management program to be truly effective, it needs to cover three main activities. These are program governance, threat management, and vulnerability management.
Program Governance
Program governance helps ensure that the entire program is measurable. It lays out a charter, mission, and mandate for the program. It also describes the specific roles and responsibilities that are involved, as well as providing necessary oversight requirements.
The purpose of program governance is to establish metrics that can demonstrate the level of risk removed from the environment, as well as highlighting changes that need to be made.
Before your organization can determine how to mitigate threats and manage vulnerabilities, your organization must decide which assets need the most protection. This can be done by creating an IT asset inventory and mapping out all essential systems and devices attached to your network.
Your organization should also perform some form of discovery to identify things you may have never realized were connected to your network originally.
Threat Management
Threat management involves handling emerging threats and planning preventive measures. A threat is anything that may potentially exploit a vulnerability in the system, whether intentionally or accidentally. Threats can potentially obtain, cause damage to, or even destroy organizational assets.
The process of threat identification and profiling involves gathering information about potential threats or threat scenarios to help establish a proactive approach to preventing them from exploiting vulnerabilities. As with assets, these threats can be categorized and prioritized according to the potential risk they pose.
Vulnerability Management
Vulnerability management defines how an organization will manage identified vulnerabilities. A vulnerability is a weakness or gap in the system that can be exploited by a threat. Vulnerability management involves setting up responsive measures an organization can take to prioritize, remediate, and isolate potential vulnerabilities.
Vulnerability management involves scanning the environment for network vulnerabilities. These results gathered from these scans should be consolidated, normalized, and analyzed as one body so as to prevent confusion and a total data overload.
Vulnerabilities must be prioritized to avoid overwhelming the organization’s remediation efforts. Finally, vulnerabilities are to be remediated, patched, and constantly monitored.
None of these are one-time processes; they must be continually repeated to ensure the protection of all assets against newly-emerging threats and vulnerabilities.
Do you have questions about your organization’s threat and vulnerability management program? Schedule a quick call to learn more.