Vulnerability Management Needed for Security, Study Says
- By Jabulani Leffall
- 08/22/08
Organizations can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group. The study presents solutions for IT pros, helping them prioritize their patch management strategies for operating systems, applications, and network security frameworks.
Ignoring the issues won't work, according to Derek Brink, author of the study and vice president and research fellow for IT security at the Boston-based Aberdeen Group.
"Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed," Brink said. "Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done."
Aberdeen's study--titled "Vulnerability Management: Assess, Prioritize, Remediate, Repeat"--describes what some respondents are doing to foster an effective vulnerability management program.
The "best-in-class" firms described in the study shared several common characteristics. For example, 70 percent of respondents in this category have consistent policies for managing patches and vulnerabilities. Moreover, 67 percent say they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.
For every dollar invested in vulnerability management programs, companies can avoid $1.91 in vulnerability fix-related costs, for a marginal return on investment of 91 percent, according to the report.
The report suggests four essential steps to implementing a vulnerability management program that pays off.
The first step is to understand the computer processing environment--how it works, what IT assets are essential and what threats pose the greatest risk to the organization.
Second, prioritization is important. IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes. Run an initial risk assessment. As with Patch Tuesday hotfixes, know what requires the greatest attention and what's critical versus important.