Improving Business Outcomes With VRM
- Apr 18, 2016
- Michael Tucker
Time and again, we hear from information security leaders who have invested in vulnerability risk management (VRM) technology and are now asking themselves whether the time, money, and resources put into VRM implementation are delivering on the promised value. In our opinion, they can and they must, but that requires aligning your business needs with the right technology.
Risk reduction, cost control, resource efficiency, and business strategy should all be served by your VRM technology and processes. But many businesses fail to realize this value. Why is that? Common reasons include:
So, what can be done?
Ensure you select the right VRM solution for your business’s requirements and get maximum value from your VRM program with these steps:
The infosec team knows that VRM is more than scanning and penetration testing, but they require the support of other business leaders who frequently don’t understand the full scope of VRM. The first thing to do is make sure everyone is on the same page. Scanning and pen testing only give you limited information about your risk posture – by themselves, they won’t keep your business secure. In order to do that, you need VRM: an ongoing practice that is as much about people and processes as it is about technology. VRM includes detecting, classifying, prioritizing, and remediating security vulnerabilities, as well as managing workflow and communicating within and across teams. To do all of these things effectively, you need the right people, skills, and technology.
When evaluating different VRM technologies, this is a step that often gets skipped. List the business demands that drive your need for a VRM solution in the first place. What’s most important to your business strategy? When you know what your business priorities are – be they cost control, resource efficiency, or risk reduction – you can make a more realistic assessment of whether a platform will solve your most important problems. If you’re using a checklist to evaluate your technology options, make sure that each criterion on your list maps clearly to the business needs you’ve identified.
For a sample checklist that outlines common business objectives and VRM technology benefits that can serve them, check out our free whitepaper.
As you compare technology options to your checklist, keep in mind that software-as-a-service (SaaS) solutions can often provide better customization and innovation than on-premise solutions. With better technology, you can take much of the burden of manual processes off of your infosec team so they are able to get to remediation faster and balance competing demands more effectively.
Finally, use metrics to define and quantify the success of your VRM strategy. Without question, your technology should improve speed to remediation. You should also see measurable improvements in other areas. Establish baseline measurements for the business objectives you identified as most important, like costs, resource efficiency, and risk posture. As you evaluate VRM solutions, look for proof that they can drive measurable improvements in these areas.
For a sample checklist, recommended VRM metrics, and a more in-depth discussion of improving business outcomes with VRM, download our whitepaper now.