Information Security

How to Build a Vulnerability Management Program: Piecing Together the Vulnerability Management Puzzle

Do you prefer videos? Watch the live discussion we hosted on this topic, supported by insight and recommendations from an industry expert.

If you drop all the pieces of a large puzzle on a table and look at them individually, it’s almost impossible to see the full picture. You can start by picking up pieces and trying to fit them together, but it’s not until you’re organizing the pieces and prioritizing where to begin that you understand what is being created. Slowly but surely each piece connects to another and the image becomes clear.

Now, imagine a vulnerability management program in the same way.

Before you start building your vulnerability management program, it’s important to map out how the program will look. Vulnerability management is the process in which vulnerabilities in IT – a weakness of an asset(s) that can be exploited – are identified and the risk is evaluated. While people often confuse vulnerability management with vulnerability scanning, they aren’t the same. Vulnerability scanning is only one piece of the larger vulnerability management puzzle; Vulnerability management incorporates other activities like risk acceptance and remediation.1

As cyberattacks increase, organizations are facing an increased pressure to focus more time and attention on information security. An effective vulnerability management process should be part of that effort, to help understand and control where there are information security risks in your organization. Identifying and mitigating IT risks can prevent attackers from penetrating your networks and stealing critical or private information.

So, where do I start?

The objective of a vulnerability management program is to detect and remediate vulnerabilities before they are exploited. With such a big objective, it can be challenging to know where to start.

Here are five things to consider when planning your vulnerability management program:

Start at the end

When you start putting together a puzzle, you usually look at the picture on the box and visualize what your end result will be. Do the same with your vulnerability management program. Before you dive into the five W’s of your vulnerability management program, start your plan at the finish line. Set the intention or goal of your program and work backwards.

A great place to start is by mocking-up your dream dashboard. Most organizations look at their data and then determine how to present it in a meaningful way. This can be a good start, but it leaves you analyzing data that you already know, just in a different way. You need to go deeper.

Think about the data you would love to have access to and how you want to present it to executives. This is your dream dashboard. It should be able to show stakeholders what you’re envisioning and working towards. Once you know what you’re working towards, you can find the right tools to help you get that data.

Now that you know what data you need, it’s time to analyze.

Understanding how a vulnerability would impact the critical business functions of your organization is key to prioritizing risk. Vulnerability counts can oftentimes be a vanity metric when there isn’t any context. As a company scales, it’s expected that the number of vulnerabilities will also grow, but looking solely at vulnerability counts doesn’t allow you to track progress against your objective to reduce overall risk. In doing this, you might not actually be optimizing the use of your resources to ensure the greatest risk reduction over time.

For example, if you add risk scores into the mix, you may find that you are actually reducing risk over time, despite the increasing number of vulnerabilities. Your IT team may have recently tackled a giant vulnerability on a critical system that they’ve been trying to patch for weeks or sometimes, even months! You wouldn’t know this if you only looked at the number. You wouldn’t have seen how critical this remediation was and how it played a role in reducing your organization’s overall risk. Adding context to your vulnerabilities gives you a better sense of where the riskiest vulnerabilities are for your organization, allowing you to make better remediation decisions.

For the most part, the intention of your program will be to minimize vulnerability-related risks and effectively communicate the results with the rest of the organization. A program is only as successful as the results that you’re able to share and the reasoning behind the decisions you made to remediate, or not to remediate, vulnerabilities.


Take stock of all your puzzle pieces! We know, classifying assets can seem like a tedious project, but it is critical for vulnerability management. It is one of the most important steps in helping your IT team prioritize vulnerabilities.

The key is to start somewhere. Your team won’t be able to get everything done on Day 1, but that’s OK. A good place to start is with a simple binary classification. Identify what your core business data is, what systems this data is stored on, who has access to these systems and whether you can restrict that access. From that point, you can work in a phased approach to tag these systems through a simple yes/no classification based on criteria such as business criticality or decommissioned statuses.

With a more defined scope, your IT team can be more efficient in optimizing its limited resources and prioritizing appearances to remediate the RIGHT risks.


You have all the puzzle pieces flipped upright, now it’s time to map out how they connect. The success of your vulnerability management program can only go as far as the processes you have defined to guide your teams. Some of the most common processes that should be mapped out include:

  • Policy definition: Map out how vulnerability management processes are defined, updated, and approved. Is there a process around when these policies should be revisited and optimized?
  • Vulnerability prioritization and assignment: Define how you prioritize remediation activities and the assignment of tickets to your IT team. Do you currently have a tool that automates this process and someone who manages this tool?
  • Remediation process: Define what remediation looks like and what SLAs you’re tracking. Also go one step further to determine what happens when they are missed and who the issue should be escalated to.
  • Exception management: Sometimes you need to define vulnerability exceptions to avoid creating larger problems on your systems. You should define the exception request and approval


Puzzles are always easier when you’re working with someone else. If you divide and conquer, you’ll get the job done more efficiently and have a better chance at seeing all the components that you may have missed on your own.

The same is true for your vulnerability management process. When building a vulnerability management process, the following roles should be identified and assigned– even if it’s one person taking on multiple roles:

  • Security Officer: This is your program champion who convinces the organization about the benefits of investing time, resources and budget.
  • Risk Officer: This person might not be driving the project, but usually has a vested interest in it, especially as boards continue to demand more transparency.
  • Vulnerability Manager: This person typically owns most of the vulnerability management program and works closely with other team members to make sure that vulnerabilities are remediated. They may also oversee some of the technology tools.
  • Asset Owners: Generally, it’s IT who is responsible for patching any issues.
  • Architect: This role stitches everything together and assembles all the puzzle pieces. This person keeps tab of how people are collaborating to execute the processes and leveraging the technology to streamline repetitive parts.

Tip: Make sure all these roles are involved in developing the process! Keeping stakeholders in the loop ensures that you have buy-in across all groups, giving you the momentum to move the project forward. Aligning everyone on the objectives before the project begins leads to a higher program success rate than working to get buy-in afterwards.

Tie it all together

Now it’s time to see your finished product! The last piece to your vulnerability management puzzle is security orchestration.

There is a growing understanding across industry professionals that manual processes cannot keep up with the increasing demand of information security. A study by ESG research shows that 19 percent of enterprise organizations have already deployed technologies for security automation and orchestration extensively, 39 percent have done so on a limited basis, and 26 percent are currently engaged in a project to automate and orchestrate security operations.1

The automation of these processes can be achieved using a SOAR (Security Orchestration, Analytics and Reporting) platform. A SOAR platform improves automation, ensures regulatory compliance and reduces the probability of a breach against your organization. Typical functions that organizations automate upfront include: reporting, vulnerability scanning, data aggregation and correlation, workflow management, risk scoring and ticket generation.

Automating the identification, classification, remediation and mitigation of vulnerabilities will not only provide greater efficiency, but will also give you consistent results by ensuring that the process is performed the same way every time.

The end goal

Many organizations (yours included) may already have vulnerability management tools in place like scanners, threat feeds, and patch managers, but without the right people and processes to support them, these are just puzzle pieces sitting in a pile on the table.

Without a thoroughly planned vulnerability management program in place, an organization may be blind to risks related to the security of the IT infrastructure. Taking time to plan out your program will give your organization a continuous view of the risk associated with the vulnerabilities in its systems. This allows management to make well-advised decisions to remediate actions that could reduce risks.

You have the pieces laid out, now it’s time to put them together so you can see the bigger picture and reach the end goal of protecting your organization from cyber threats.


1 Implementing a Vulnerability Management Process, SANS Institute. Accessed on April 30, 2018.