Improving Business Outcomes With VRM

Time and again, we hear from information security leaders who have invested in vulnerability risk management (VRM) technology and are now asking themselves whether the time, money, and resources put into VRM implementation are delivering on the promised value. In our opinion, they can and they must, but that requires aligning your business needs with the right technology.

Risk reduction, cost control, resource efficiency, and business strategy should all be served by your VRM technology and processes. But many businesses fail to realize this value. Why is that? Common reasons include:

  • Leadership and stakeholders outside the infosec team don’t understand the full scope of VRM and its impact on the business.
  • Your technology isn’t a fit for your business.
  • Your technology lacks innovation and/or fails to keep up with security trends.
  • You’re struggling to hire the right people with the right skills.
  • Competing IT demands on your infosec team are getting in the way of VRM.

So, what can be done?

Bridge the Gap with the Right VRM Technology

Ensure you select the right VRM solution for your business’s requirements and get maximum value from your VRM program with these steps:

1. Understand and communicate the full scope of VRM and its impact on the business.

The infosec team knows that VRM is more than scanning and penetration testing, but they require the support of other business leaders who frequently don’t understand the full scope of VRM. The first thing to do is make sure everyone is on the same page. Scanning and pen testing only give you limited information about your risk posture – by themselves, they won’t keep your business secure. In order to do that, you need VRM: an ongoing practice that is as much about people and processes as it is about technology. VRM includes detecting, classifying, prioritizing, and remediating security vulnerabilities, as well as managing workflow and communicating within and across teams. To do all of these things effectively, you need the right people, skills, and technology.

2. Align technology and resources with your business objectives.

When evaluating different VRM technologies, this is a step that often gets skipped. List the business demands that drive your need for a VRM solution in the first place. What’s most important to your business strategy? When you know what your business priorities are – be they cost control, resource efficiency, or risk reduction – you can make a more realistic assessment of whether a platform will solve your most important problems. If you’re using a checklist to evaluate your technology options, make sure that each criterion on your list maps clearly to the business needs you’ve identified.

For a sample checklist that outlines common business objectives and VRM technology benefits that can serve them, check out our free whitepaper.

3. Look to a SaaS solution to augment resources and keep up with the changing threat landscape.

As you compare technology options to your checklist, keep in mind that software-as-a-service (SaaS) solutions can often provide better customization and innovation than on-premise solutions. With better technology, you can take much of the burden of manual processes off of your infosec team so they are able to get to remediation faster and balance competing demands more effectively.

4. Define and measure VRM success.

Finally, use metrics to define and quantify the success of your VRM strategy. Without question, your technology should improve speed to remediation. You should also see measurable improvements in other areas. Establish baseline measurements for the business objectives you identified as most important, like costs, resource efficiency, and risk posture. As you evaluate VRM solutions, look for proof that they can drive measurable improvements in these areas.
For a sample checklist, recommended VRM metrics, and a more in-depth discussion of improving business outcomes with VRM, download our whitepaper now.