Overcoming Risk-Based Vulnerability Management (RBVM) Challenges

You’ve done your research and looked at the various ways you can map, prioritize and remediate vulnerabilities. You clearly see that a risk-based vulnerability management (RBVM) approach is the only reasonable way to address the tsunami of vulnerabilities your organization encounters and provide the context needed for risk-based remediation decisions.

But now you’re faced with overcoming the typical challenges associated with gaining organizational buy-in so you can construct a successful implementation plan. What are your next steps?

Common Challenges

Based on years of experience and input from scores of security leaders that have gone down this path before you, we’ve gathered some of the common challenges you are likely to face as you prepare your organization for the future of RBVM.

Challenge One: The cost of an RBVM platform

How to overcome it:

The price of protecting data and infrastructure fades when compared to the cost of a data breach. According to the IBM security cost of a data breach report 2021, the cost of a data breach rose nearly 10% from 2020 to 2021, to $4.24 million. The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach.

While a valid concern from an initial bottom-line standpoint, it can be helpful for boards and C-suites to put the initial cost of an RBVM solution in context, which can be relatively insignificant compared to the cost of a breach. Once you factor in the efficiency gains the security team will reap and the reduced need for additional full-time employees (FTEs), this choice is a no-brainer.

Challenge Two: Not enough staff to properly use another piece of security technology

How to overcome it:

One of the primary benefits of implementing an RBVM platform is the opportunity it affords for you to move away from manual processes that are blind to organizational risk. Such a platform’s prioritization capabilities dramatically reduce the time spent debating what to remediate. This enhanced time-to-action improves all other downstream processes. In some cases, implementing RBVM can actually reduce the number of necessary full-time employees, relieving pressure on already understaffed teams.

Challenge Three: Lack of organizational buy-in

How to overcome it:

Understandably, security leaders often assume that their organization has bought into an RBVM initiative once the budget has been approved for the investment. But procurement does not necessarily mean the teams and departments that will be affected by the program understand how they will need to change their day-to-day workflows and processes.

Implementing RBVM correctly and maximizing its positive impact will affect executives, IT staff and security teams. Before investing, spend the time to map out how adding RBVM will alter day-to-day activities so the various stakeholders can voice their opinions and know what to expect in terms of changes. ITOps and IT executives are influential groups to focus on and invite into the conversation—everyone affected has to have a seat at the table to achieve universal buy-in.

Challenge Four: An incomplete mapping of your attack surface

How to overcome it:

The success of RBVM is directly tied to a clear understanding of your organization’s attack surface, including asset and vulnerability mapping. You can’t prioritize and remediate vulnerabilities for shadow assets, so ensure you’ve got an accurate configuration management database (CMDB) to store relevant information about all hardware and software assets. You should also have verifiable policies and processes to ensure the database is updated and maintained regularly.

Furthermore, include as much information as possible about the various assets in your CMDB; part of the risk equation for your RBVM consists of assessing the criticality or importance of assets.

Challenge Five: RBVM requires an investment of time and resources to get off the ground

How to overcome it:

Securing the budget for an RBVM platform isn’t usually the difficult part of the process. This challenge will vary depending on your organization’s current circumstances, including your security maturity level. What’s often more challenging is the organizational shift in operating procedures that comes with implementing an RBVM.

Making the necessary shift may seem off-putting to some stakeholders, but it’s a critical part of the process. The addition of RBVM technology in combination with the maturing of operations is what yields the greatest success.

Essential to successfully implementing organizational shifts is ensuring that all stakeholders know that RBVM is a continuous cycle of improvement that must be adopted and that they will have to disrupt their everyday workflows to grow. Keep in mind that the alternative is to do nothing and force the organization to react to attacks one by one.

Finding Success Beyond the Challenges

For any significant project, gaining organizational buy-in can be challenging. Regardless of how beneficial the outcome may be, doing things differently must overcome the cultural momentum to maintain the status quo.

The first steps to implementing a successful RBVM program include juxtaposing the solution’s price against the cost of a breach, factoring in the savings realized by moving away from manual processes and ensuring that the affected parties are part of the conversation. Once you achieve universal buy-in and the resources are committed, start with a complete and accurate understanding of your attack surface.

An RBVM approach is the best way to address your vulnerabilities and provide the context needed for risk-based remediation decisions. Once you overcome the challenges of implementation, your organization will become more proactive and better positioned against future threats.

Avatar photo

Lisa Xu

Lisa Xu serves as Chief Executive Officer where she is responsible for overseeing the overall strategic and operational functions for NopSec. Lisa has a passion for connecting business with technology and thrives in transforming disruptive technology into leading solutions. Over the past two decades, Lisa has advised Fortune 500 enterprises on data security, privacy and technology risk management, and led many diverse teams at Ally Financial (GMAC), KPMG, and Blue Cross Blue Shield. Lisa holds a B.A. in Economics and a Master’s in Finance from Boston College.

lisa-xu has 1 posts and counting.See all posts by lisa-xu