N2K Blog: FAQs about Vulnerability Assessment & Management

Frequently Asked Questions about Vulnerability Assessment & Management

Frequently Asked Questions about Vulnerability Assessment & Management 1200 628 N2K

What is Vulnerability Assessment and Management?

The common misconception is it’s only about vulnerability scanning and penetration tests. Vulnerability assessment and management is the continuous process of identifying, analyzing, reporting, and remediating vulnerabilities. This means an organization must prioritize, validate, re-evaluate, and re-prioritize as long as the threat associated with a vulnerability remains viable. Sometimes, there is no way to patch or easily fix a vulnerability, and complex workarounds will need to be applied, tested, deployed, and as the situation changes, perhaps re-deployed.

What is NOT Vulnerability Assessment and Management?

Vulnerability assessment and management isn’t just about filling in all of the cracks at once. An organization needs to evaluate the impact on its critical operations against its own risk appetite. Many automated vulnerability scanning products provide a default risk score, but this “out-of-the-box” risk doesn’t reflect the likelihood and impact of an exploit to the specific organization. Ultimately, only a human familiar with the organization’s business can do that.

Vulnerability assessment and management is not about mastering vulnerability scanners and following their detailed remediation recommendations. An organization needs to consider its unique situation. Some fixes could open new vulnerabilities, or impact operations on other systems, so vulnerability management is about tailoring the solution to the organization. A vulnerability scanner that is not configured properly for its environment could create so much noise as to overwhelm the really important vulnerabilities the organization should be prioritizing.

Vulnerability assessment and management is not a distinct process, separated from the rest of the business. Risk management, assessment, and remediation should be embedded into every aspect of business operations. Also, fixing vulnerabilities requires collaboration with many different business roles, across multiple departments and teams.

Where does Vulnerability Assessment and Management play a role?

Vulnerability assessment and management cuts a wide swath of the security and IT workforce. There are jobs in incident response, in security operation centers (SOCs) and individual analyst teams, in IT infrastructure, both on-premises and in the cloud, and in upper management, reporting directly to the CISO or CEO. The job level usually dictates the technical depth, but each position plays a role in the vulnerability assessment and management process.

Vulnerability assessment and management touches almost every other group as well. This ranges from the Marketing team responsible for website content to the Sales team responsible for financial and personal information. Any technical control will impact the business, so all employees are stakeholders in vulnerability management.

How does someone get into Vulnerability Assessment and Management? 

First, get a good foundation in information security principles and best practices, with particular emphasis on risk management and threat modeling. Most entry-level security positions represented by certifications like Security+ would satisfy this requirement.

The next step is a choice. You can go deeper into the technical aspects of ethical hacking and security analysis (CEH, CFR, CySA+, or PenTest+) or explore the higher-level management of a security program with certifications like CISSP, CISM, or CRISC. Either path you take, you need to combine both approaches for vulnerability assessment and management. 

That is where our training course comes in — providing a vital language between the day-to-day operations of a successful vulnerability assessment and management program with a wide view of the overall organization and its place within the threat landscape. Using a three-tiered technique, this course starts at a wide angle before focusing the lens into the practical techniques and tools of the vulnerability trade:

  1. Risk analysis and threat modeling
  2. Vulnerability management and reporting
  3. Vulnerability detection and mitigating

What comes next in a career with Vulnerability Assessment and Management?

Vulnerability assessment and management is a critical component to any information security program, so there is some flexibility on where to go next. It could lead you into the manager’s chair or closer to the frontlines of a blue or purple team. Either direction, the skills will provide you with the capabilities to address threats as they emerge and the insight to know how and when to respond to those threats.