Back to Blog
15 Feb 2022

5 questions to size up your vulnerability management program

Vulnerability management is a key part of a proactive cyber security defence.. But how do you get the most out of your program? Ask yourself these 5 questions to size up the maturity of your vulnerability management program.


1. How often do you scan most of your assets?

How many assets your business scans and how often, is generally where the journey to maturity starts. Asking your cyber security or IT team this question gives you a clear understanding of what resources you currently have. It also helps you understand what you’ll most likely achieve, as well as the metrics you can attain. Just remember that the more time between the scans, the longer vulnerabilities will sit in your system unnoticed and unpatched. Risks need to be quantified, but identifying these risks rapidly is equally important.


2. What percentage of open vulnerabilities are you capturing?

When deciding order of prioritisation, authentication will always be the first factor to take into account as vulnerabilities that can’t be visibly seen can’t be quantified. Authenticate at any opportunity, especially when risk reduction is the main goal.

Ultimately diving right in and factoring in all these details will give you a comprehensive assessment on an asset. And that’s what’s going to allow you to know where the risks are, what assets or business functions have been affected, and finally what actions you’ll need to take to remediate and reduce the risks.


3. How quickly are you attending to high-risk vulnerabilities?

It’s crucial that high-risk assets are targeted for remediation first. Reducing risks effectively can only be accomplished when you understand how quickly you’re identifying high-risk assets and how critical they are to your business functions.

So how can you understand the nature of a threat? It generally involves insight into the characteristics of the vulnerability that makes it lucrative to attackers. It also involves threat intelligence into malware activity that’s active on your user devices in relation to that specific vulnerability.


4. What percentage of assets are equipped with endpoint protection?

Although there are many advanced security solutions available, endpoint security is a fundamental part to created a layered defence of security. But only 44% security leaders can safely say they have good visibility into the security of their critical assets. It’s important for you to know if your systems are equipped with required security programs and you should also be kept aware of any unauthorised or dangerous software installed on those assets. If you’re not asking yourself this question, then you might not know if the controls needed are in place where you expect them to be.


5. Are you reducing cyber risk across key business functions?

Only 4 in 10 security leaders can confidently answer “How secure or at risk are we”. Worrying isn’t it? It’s critical for executives to understand if risk is actually being reduced across business functions. Why? Because it establishes value and ROI in terms of the budget for the security program.

And at a strategic level, this understanding gives the leadership team informed decisions on the performance of the program in specific areas. Therefore being able to replicate this to other areas which might not be performing as well. And those that are responsible for the remediation and patching also need to understand how all efforts are contributing to the success and how updates are being communicated to management.

If you’re looking to learn more on vulnerability management, contact our cyber experts today.



By OryxAlign