A risk-based approach to threat & vulnerability management



Security threats are increasing each year, but taking a risk-based approach to your threat and vulnerability management helps. Here are five steps to get you started.

2018 was a record year for cybersecurity—and not in a good way. Over 16,500 security vulnerabilities were discovered and cataloged in Mitre’s Common Vulnerability and Exposure Database. This is a 12% increase from 2017.

With growth like that, you might think it’s impossible to stay ahead of them. But automation and a risk-based approach to vulnerability management can help you tackle this growing issue.

To begin, you need to look at your cybersecurity strategy holistically. But this is often easier said than done. So, what first steps should you take to get on the path toward a risk-based approach to vulnerability management?

1. Understand your asset criticality (take inventory)

Asset criticality is the value you assign to the organization’s most vital assets, including hardware, software, and confidential information. Defining this directs your focus on monitoring and maintaining the most important assets. These are the ones that will cost the most if they fail, are stolen, or become obsolete. Costs are derived by considering asset replacement, loss of service/downtime, and legal liability. To understand your asset criticality, the first step is to create an asset inventory.

“A good threat and vulnerability management platform will use [your] scoring and classifications to automatically delegate and assign remediation tasks.”

2. Assign a risk rating (quantify your focus)

Now that your assets are cataloged, the next step is identifying the risks—or combinations of threats and vulnerabilities—that can affect your assets. This isn’t a quick task, but it’s worth the effort. Think of the scenarios that could affect the organization’s computers, mobile devices, cloud-based storage, and even the employees. What kind of unwanted incidents might take place? What weaknesses could be exploited?

This is how you’ll calculate a risk rating, a score that determines the impact and likelihood of each risk actually happening. These scores give you a benchmark, so you know exactly when risks are beyond acceptable levels, and you can take action.

3. Normalize security & risk definitions (speak the same language)

As you’re taking inventory of assets and assigning your risk scores, it’s important to create standard internal security and risk definitions. This is because vulnerability scanners and other threat information sources don’t record severities uniformly. Some assign ratings numerically (e.g., 1-10), while others score things qualitatively (e.g., “urgent” or “critical”). You need to pick what works for you, instead of locking yourself into someone else’s definitions of severity and risk.

If you’re using specific vulnerability management software, this is where you’d input your own risk classifications and map how you interpret a Qualys score vs. a Nexpose score. Doing this creates a unified scoring system that normalizes scanner findings and standardizes remediation plans. It also pulls findings from all security tools to create accurate and timely reports and dashboards.

4. Delegate threat & vulnerability management (take action)

A good threat and vulnerability management platform will use the scoring and classifications to automatically delegate and assign remediation tasks to the correct person or team to handle the threat. For example, if it’s a Windows vulnerability in the subnet, it goes to the Windows team.

Many organizations have policies on the maximum amount of time it should take to resolve a vulnerability based on the threat level, for example:

  • 1-10 days for critical vulnerabilities
  • 30 days for high-severity vulnerabilities
  • 60 days for medium vulnerabilities.

But these deadlines for remediation are often hard to meet. A SANS Institute poll flagged that only 68% of respondents were able to repair, patch, or mitigate critical vulnerabilities in under a month. Obviously, that’s not ideal, because the longer these issues go unresolved, the more the risk increases. But by automating the calculation for these threats and assigning the appropriate risk ratings, you can start tracking deadlines and prioritizing workflows.

This setup and automation will streamline your work and help you deal with the massive amounts of vulnerability data you receive on a daily basis. Many organizations that automate these processes see solid reductions in the time it takes to perform daily cyber-risk management. And by creating this hierarchy, you’ll respond to high-priority items quicker.

5. Get the most from your data

One of the most important parts of this entire process is having a clear understanding of how to analyze your data. Many IT security professionals find themselves with plenty of data, but no idea how to make it usable. But since you already have the data, it’s now just a matter of getting it into a threat and vulnerability management platform. Then you can complete those first mappings to wrap your head around criticality.

Sure, there’s a time investment in setting this up, but it’s totally worth it—especially when you start to see the time savings, faster remediation, and reductions in risk and open vulnerabilities.

Find out how one large US healthcare provider implemented our vendor risk management solution, removing manual processes and increasing completed yearly assessments by 373%.


Third-party risk management essentials

This eBook explores the:

  • Basics of third-party risk management.
  • Difference between TPRM and vendor risk management.
  • Process of picking a risk management framework that best fits your organization.

Download eBook

Related Articles


Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit www.diligent.com

Visit Diligent Login