There is ample evidence to support the notion that risk-based prioritization is becoming a necessity. I support the idea that vulnerability management in the future must be risk-based by providing several notable industry trends, each pointing to this hypothesis. I’ll follow the trends with answers to why business risk is the driver for cybersecurity activities and give a glimpse of what success in the future will look like.

Risk mitigation is fundamental to an enterprise’s cyber strategy, and vulnerability management is, at its core, a risk management technique. In the future, the ability to prioritize vulnerability remediation will become a standard feature requirement as customers evaluate vulnerability management solutions.

Automation and machine learning will be essential for risk-based prioritization. However, teams should avoid black box machine-learning models solutions that fail to provide any insight that explains the why and the how of prioritization. Why and how are every bit as important as knowing what to prioritize.

Up-to-date threat intelligence and machine-learning algorithms can predict which vulnerabilities are most likely to be used in malware or targeted attacks. Still, for that information to be helpful for the formulation of future business plans, leadership must know the why and how.

For a risk-based vulnerability management program to be relevant to your organization, it must factor in the criticality of assets. Asset criticality—knowing what, where, and how important the organization’s crown jewels are—is often overlooked but is becoming a must-have requirement. You cannot accurately assess risk without understanding this vital aspect of a threatened asset.

Security leaders are beginning to embrace the idea that contextual risk prioritization is a core vendor differentiator. Every customer’s environment is unique, and threat-centric prioritization is only marginally better than a CVSS-based prioritization. When a vendor fails to incorporate contextual risks, customers may do more remediation than necessary. It is essential to avoid ineffective patching or create throwaway work for your teams.

Changing behavior in vulnerability management is akin to a person changing to healthy eating, exercise, and sleeping habits. Gaining more energy, building muscles, reducing body fat, and sleeping better are individualized personal health goals because each body responds differently to food intake, stress, and exercise. Similarly, reducing remediation workload, reducing risk, cutting down data noise, improving automation, and gaining real-time insights are different business objectives for each organization’s vulnerability management program, and results in a healthier security posture.

Because configuration and vulnerability management are so closely related, customers, in the future, will look for stack agnostic solutions that are flexible enough to analyze vulnerabilities and misconfigurations. They will expect prioritization to be based on risk and business impact.

Attack techniques will constantly change as threat actors strive to circumvent defensive systems and, in turn, security teams and innovative partners continually introduce new methods for mitigating risk. There is a constant battle for insights and information between attackers and defenders.

No enterprise has unlimited resources to battle cyberattacks. Therefore, organizations need to make decisions based on the trade-off between costs and benefits. A risk-based approach provides a strategic framework to efficiently identify, prioritize, and remediate risk actors within the available resources and risk tolerance levels.

The balance between in-house security staff and managed security service providers may change for an organization. The quantity, value, and criticality of assets, whether cloud or on-prem, will also change. While tooling, defects, and threats will all change, an organization’s strategy for managing risk should always remain the same.

Risk and attack vectors evolve, and people’s mindsets and processes should also develop to align with risk management and business objectives. Enterprises should change their perspective from that of blocking all possible threats to one of improving overall risk management programs and hygiene practices.

Success in managing vulnerabilities in the future will be achieved by organizations that have changed the fundamental nature of work in the field. Analysts will no longer perform tedious data triage, normalization, and correlation manually. The nature of their work will shift from data processing to making risk-based decisions supported by machine-driven analytics.

Machine-based data processing, including contextualized prioritization and analytics, will become mainstream in thriving organizations. They will use positive reinforcement to push a proactive shift that breaks down silos and replace a whac-a-mole cybersecurity strategy with a risk-based vulnerability management program.

Vulnerability management is a powerful piece of the enterprise cyber risk management puzzle. The intelligence derived from a vulnerability management program can be extremely valuable to incident response, threat hunting, SOC operations, and other segments of the cyber program. To win, provide a decision support system in broader cyber analytics.

The future of vulnerability management is bright. Challenges aside, innovation is alive and well, and new solutions will continue to emerge. For organizations that grasp a vision of the future and begin to prepare for it now, vulnerability management will grow to be an integral part of their business risk management plan.

About Contact Our Advertising Privacy Policy Cookie Policy Terms of Use

News, insights and resources for data protection, privacy and cyber security professionals.

About Contact Our Advertising Privacy Policy Cookie Policy Terms of Use Do Not Sell My Data