You are responsible for a vulnerability management program, as administrator or implementer, but run into several problems
You are drowning in the amount of vulnerabilities. New ones are added daily. You don't know where to start.
You struggle to prioritize, per vulnerability, one that is relevant to your business. Priorities given by your tools are generic and not tailored to your situation.
Management is hampered because teams (infra, app) point at each other when it comes to solving vulnerabilities. Responsibilities are not defined.
Existing policies and processes are not aligned with vulnerability management with clear SLAs.
There is no reporting to executive management to bring this problem to the attention and also lacks the right data for this.
You want to optimize your vulnerability management program. For this you need:
A method to quantify and prioritize vulnerabilities, according to predefined security criteria that are relevant to your enterprise
A vulnerability management policy and process in which everyone's responsibilities are agreed upon, supported by SLAs per vulnerability type
A (non-technical) trending metric that makes clear to executive leadership to what extent security is improving
A way to regularly report to support teams and executive management on your progress, needs and performance
An optimized vulnerability management program starts with the right policies and processes, which clearly state who is responsible for what and also clarify what the agreed SLAs are, depending on the ranking of the vulnerability
The ranking of vulnerabilities is determined by criteria that are important to your business, combined with industry standards.
The SLAs are used to arrive at a trending metric, which indicates to what extent your organization is successful in achieving these SLAs
This metric will end up in a clean dashboard, which you can then use to report on your vulnerability management program. It clearly indicates success and opportunities for improvement, broken down by responsible team. In the best case scenario, this is defined from a service management perspective.
Every enterprise is different in size, objectives and organization, and therefore it is important to define, with you, the scope of an optimized vulnerability program that best meets your expectations. Next, we get to work mapping out the current state of your program. This could include a policy/process review, how vulnerabilities are currently classified and communicated, and how responsibilities lie between the various teams involved. In addition, we look at whether it is clear what the company wants to protect most and to what extent there is effective communication at the executive level.
We use this information to develop a plan of action that will lead to an optimized vulnerability management program in which streamlined processes, clear SLAs and responsibilities and decisive communication are central, from a clear dashboard! We know that change often leads to friction, so we will also guide you through the process of acceptance of the various teams.
Soapbox Security offers through its Optimised Vulnerability service a unique service that optimizes the management of your vulnerabilities within your enterprise through security quantification.
The holistic approach guides you through the entire process from the basics (policy) to communicating your success metrics to your executive management.
We have successfully led a program for optimized vulnerability management for a large US corporation for over ten years. We developed and delivered automated solutions and regularly reported to executive management.
Our framework won multiple awards from RSA and CSO magazine. It has been published and presented at major security conferences around the world.
Let's work together
Our team will always be happy to work with you.
Feel free to contact us by telephone +31850470062 or via the form and we will be sure to get back to you as soon as possible.
"*" indicates required fields