Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

4 mins to read

How Offloading Vulnerability Management Enhances Security

Michael Walter

Managing Director - Security and Privacy

Mike Alessi

Associate Director - Security and Privacy

Views
Larger Font
4 minutes to read

The obstacles cybersecurity organizations face may often seem insurmountable. From dealing with a competitive labor market, to the rapid pace at which threats and regulations are hanging, to omnipresent budget constraints, challenges to cybersecurity performance are prompting enterprises to offload some security operations, and leaders find vulnerability management is especially well-suited to outsourcing.

Reducing vulnerabilities enhances an enterprise’s security posture and decreases the likelihood it will be breached. Clarifying vulnerability management roles — and delivering robust, customized reporting — improves vulnerability management and reduces risk.

Vulnerability management is a basic building block of an information security program and it’s achieved in a similar manner across organizations, making it one of the easiest programs to outsource. It requires a lower investment of time in understanding business operations than other security functions. Outsourcing to a vulnerability management service (VMS) can fulfill requirements competently and completely while increasing the maturity of an organization’s vulnerability management program operations compared to other security functions and without intimate knowledge of the enterprise’s intricacies.

Beating the talent shortage

Security leaders are painfully aware of a multimillion-person cybersecurity talent gap. For them, it means operating with a chronic shortage of resources. But security teams must scan for vulnerabilities regularly, even if the required resources must be pulled away from other security tasks to get it done. Outsourcing vulnerability management eases this staffing shortfall, while also freeing up internal resources to focus on cybersecurity tasks that call for institutional knowledge.

Security and IT leaders who’ve been lucky enough to hang on to good people know how overworked those people may be. Overworked or unexperienced personnel may have to assume vulnerability management responsibilities in the absence of more suitable personnel. By outsourcing to a VMS provider, the organization gains a team that’s focused only on identifying vulnerabilities in a consistent and repeatable manner. At the same time, they avoid overworking their own security professionals.

Clarifying who does what

Along with providing a dedicated vulnerability management team, a good VMS provider works to clarify roles within the function. Delineating who’s responsible and accountable for — and consulted or informed about — vulnerability management is a core component of a healthy vulnerability management program.

In some organizations, these details may only be informally or partially understood as the service provider comes on board. A good VMS provider will establish who needs to know what and ensure management signs off on a clearly defined vulnerability management process. This conversation becomes a fine-grained exploration of the process and surfaces any gaps. Clarification of responsibilities is often the VMS provider’s first big win.

Reporting to expose opportunities

Any VMS provider can take on vulnerability scanning and reporting; the best of them also deliver analysis to drive down the number of vulnerabilities over time. Analysis surfaces actionable opportunities to improve security, such as:

  • One team gets its vulnerabilities patched timely while another does not. Leaders ask why and discover the second team is shorthanded.
  • An enterprise’s systems didn’t get patched because an infrastructure upgrade was deferred. That upgrade hadn’t looked like a risk until reporting brought to light a proliferation of vulnerabilities.
  • A business was operating an end-of-life system, unaware of the exposure out-of-date technology was creating.

Security professionals will want insights into how to address specific vulnerabilities; executives will want to know about risk scores and overall trends. Robust reporting includes customizing information to the needs of different audiences. It’s more than most enterprises can manage internally because it involves producing a thorough analysis of scan data, unconstrained by any vulnerability reporting tool. Look for a VMS provider whose technically agnostic reporting can change when the enterprise’s questions change.

A good service provider will have close, collaborative partnerships with the vendors who create vulnerability management tools. These relationships benefit the client when negotiating prices — and when features fall short of requirements. With the right partnerships, the VMS provider can advocate for clients to get feature sets expanded and issues addressed.

Reducing risk for minimal spend

When enterprises undertake vulnerability management themselves, it amounts to countless small tasks that must be completed timely and repeatedly. In addition to running scans and reviewing results, the team should address the vulnerabilities that surface. Sometimes, however, when vulnerability tasks are distributed among several people or teams, scans get conducted, but the key step of resolving the vulnerabilities that surface may get overlooked.

A good VMS provider will establish best practice scanning and reporting, use a broad range of modern tools and analyze results to eliminate false positives and other bad data. They’ll also drive the conversation with their client’s teams to bring vulnerability numbers down. This approach simplifies risk reduction; internal teams need only focus on one thing: acting on vulnerabilities the VMS provider identifies. Security organizations who work with VMS providers do a better job of reducing vulnerabilities, and they do it within a predictable, fixed-fee framework. VMS providers may also offer patching and remediation; clients can opt-in to these services or handle patching and remediation internally.

Gaining a broader perspective

Security leaders rely on their teams to determine if their own approaches and tools are optimal. A VMS provider adds another perspective, one informed by the expertise that comes from working with multiple organizations and from long-standing relationships throughout the cybersecurity market. The VMS provider becomes a sounding board via which security leaders learn about using better tools, using tools more effectively and how other enterprises are getting the job done. The best VMS providers will explain what’s newest and best in a technically agnostic way and clarify the benefits of making any change as well as play the role of being an extension of the client’s security team.

Security leaders are struggling to get the job done and one solution is to offload operations to an experienced VMS provider. Vulnerability management services free internal resources from scanning and reporting tasks for a fixed monthly cost, while also clarifying roles, delivering customized analysis and reporting and providing access to market knowledge and best practices.

Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our managed security services and security operations solution, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Michael Walter

By Michael Walter

Verified Expert at Protiviti

Visit Michael Walter's profile

Mike Alessi

By Mike Alessi

Verified Expert at Protiviti

Visit Mike Alessi's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

In today’s fast-paced digital landscape, DevOps practices have revolutionized software development and deployment, allowing organizations to achieve greater efficiency and...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...