Navigating Your Vulnerability Management Program | Core Security Blog

Navigating Your Vulnerability Management Program

OK, I admit it. I use GPS to navigate some routes I’ve driven at least a hundred times. It’s a relief to hear that robotic voice helping me with every single turn on my way home. Here at Core, we asked-how can we make the vulnerability management journey easier for organizations to traverse to reduce the risk of a potential security breach? Ah, yes, a roadmap of sorts to follow to ensure a successful program! Everyone loves free resources, right? The five-level Threat and Vulnerability Management Maturity Model (TVM) combines an understanding of an organization’s assets, IT infrastructure, and vulnerabilities to help:

  1. Reduce risk exposure and the likelihood of a breach
  2. Gain ongoing visibility into true business risk, improving future decision-making
  3. Align IT, information security, and the rest of the organization in the direction of strategic business goals
  4. Significantly increase operational efficiency


We asked organizations to pinpoint their current location on the TVM Maturity Model, and found that 33% are at Level 2 or below, suffering from peak data overload and very unlikely to be able to effectively counter adversaries.

Take a look at below! Can you easily identify where your organization is on the vulnerability management journey, and the next turn you need to take to advance your program?  

Level 0. Non-existent

  • No vulnerability scanning
  • Manual assessments
  • Haphazard patching
  • No processes or metrics


Navigate to Level 1:

Get a vulnerability assessment solution and create repeatable processes to patch operating systems and applications

Level 1. Scanning

  • Vulnerability assessment solution
  • Ad-hoc scanning
  • Rudimentary patching
  • Basic processes and metrics


Navigate to Level 2:

Adopt compliance frameworks, create and report metrics, implement basic vulnerability prioritization via CVSS and conduct penetration testing on high-risk assets.

Level 2. Assessment & Compliance

  • Driven by regulations
  • Scheduled scanning
  • Scan to patch life cycle
  • Emerging processes
  • Little measurability


Navigate to Level 3:

Implement risk-based patching. Metrics and policies should focus on security improvement. Start consolidating scan results and employing critical asset-focused prioritization strategies.

Level 3. Analysis & Prioritization

  • Risk-focused
  • Scan data prioritized
  • Patching prioritized
  • Measureable processes
  • Emerging metrics


Navigate to Level 4:

Beef up metrics to show trends and focus patching on risk to critical assets. Introduce more threat vectors and establish a formal red team. Processes should include IT Operations to speed up remediation.

Level 4. Attack Management

  • Threat-focused
  • Vectors scanned and prioritized
  • Patching based on risk to critical assets
  • Efficient, metrics-based processes
  • Threat-driven metrics and trends


Navigate to Level 5:

Business strategy drives information security goals and your overall program. Threat metrics and attack trends become key risk indicators aligned closely with critical assets and acceptable business risk.

Level 5. Business-risk management

  • Risk aligned with business goals
  • All vectors scanned and prioritized
  • Continuous patching
  • Unified business and IT processes
  • Measurement integrated enterprise management