The essential ingredients of an effective vulnerability management plan.

The second of a multi-part series in controlling the chaos of vulnerability management. Read Part 1 here.

In the first part of this series, we established that vulnerability scanning is not a vulnerability management plan. Scanning is but one part of a comprehensive VM (Vulnerability Management) plan that addresses all five of the following stages.






Scan for vulnerabilities using any number of scanner integrations.

Correlate and prioritize scan data alongside data from Asset Inventories, Threat Intelligence, and other business context.

Launch analyst investigations to determine best fix while tracking progress & outcome.

Triage high-impact vulns and implement long-term fixes to mitigate on-going and sustained risk to infrastructure.

Measure progress, report on risk, track vulnerabilities, and make decisions for budget and program priority. REPEAT!

If you are in the process of building, modernizing, or optimizing your Vulnerability Management program, our recommendation is to create a VM plan that addresses all 5 stages. 

Most orgs have a library of security plans already. E.g., Backup & Recovery, IR, Contingency Plan, etc. However, very few organizations have a well-documented VM plan that lays out the organizational objectives relating to VM, and the people, processes and technologies needed to accomplish them.

Having a plan in place will help in myriad ways. Specifically, a well-defined VM plan will help:

  • Force the conversations, decisions and agreements that are crucial to the long-term success of the VM program.
  • Identify the gaps in your organization’s existing vulnerability management processes.
  • Ensure that each person and team understand their role in the vulnerability management program, and what is expected of them.
  • Evaluate VM products for their alignment with your specific VM objectives and desired outcomes.
  • Justify the need for budget and resources to management, evaluating VM products, make better tech procurement decisions, help risk management team determine where there are gaps.

Note, during this planning process, many organizations discover that they do not have the resources to accomplish the objectives internally. There may even be a strong business case for outsourcing your VM program in full or in part. This is a fairly widespread practice, and it’s why Nucleus has an MSSP (Managed Security Service Provider) Partner Program with a portfolio of small to large providers that offer vulnerability management among other services.

Here at Nucleus, we view a VM program as an aggressively proactive approach to crushing vulnerabilities. You want to organize and orchestrate all the processes within your program in a robust and scalable way to ensure your objectives are met including protecting the value of the enterprise and its assets.

PART 1: SCANNING AIN’T PLANNING. Why you need more than just tools to manage vulnerabilities — Read Now.