“Can I get a view of where and how long we’ve had these high vulnerabilities in the environment?” is a question from the CISO that gets many security operations (SecOps) team members’ eyes twitching.
The reason for the reaction is that despite having solid vulnerability discovery tools, reporting and management of this capability has been a weakness for this corner of the security space. Between false positives and poor historical data, the SecOps team has to do a substantial amount of work to present a clear picture of the overall performance of the vulnerability management program to key stakeholders.
Despite these issues in reporting, the key to a successful vulnerability management program is often how well SecOps teams are managing the other stakeholders in the process. The information security (InfoSec) team isn’t going to be deploying infrastructure changes and executives want to focus on how long it took to fix the issues. This leaves a decent reporting gap for the SecOps team to fill between
Read the article