Maturity of Vulnerability Management in Securing an Organization's IT Assets

Nichole Bray, Director of Vulnerability Management, Global Tech Information Security, Walmart

Nichole Bray, Director of Vulnerability Management, Global Tech Information Security, Walmart

Technology is used in every part of our lives and new solutions are continuously being developed.These solutions are more complex, integrated andessential. The speed to resolving technology weaknesses has become more crucial and requires building in security at all levels.Organizations must have a defense against known security flaws and processes for keeping up with emerging security challenges.

Vulnerability Management fulfills this critical role as the process of identifying, evaluating, addressing and reporting security issues in systems and the software deployed. The continuous lifecycle affords a persistent level of defense and is an integral part of any security strategy. The outcome is understanding where and how a company’s data lives and is accessed, identifying where potential weaknesses exist, evaluating them against security controls deployed and making informed decisions about necessary corrections and how quickly to ensure company assets and customer data are secure.This is essential for prioritizing possible threats and minimizing attack surface; a discipline constantly evolving and requiring a balance of science and art.

"Vulnerability Management fulfills this critical role as the process of identifying, evaluating, addressing and reporting security issues in systems and the software deployed"

Success rests in understanding the extent of the organization’s environment and its changes. Accuracy in data is vital to addressing any identified finding; pinpointing where weakness exists as well as knowing who is responsible for that technology and how it can be leveraged as a threat. Most importantly is company culture, commitment and leadership dedication to data security.

Vulnerability Management today

Traditionally, this discipline has been regarded as port scanning of a company’s external IP space and ensuring a sound patch management program is in place to address security weaknesses associated with third-party systems. Overtime, the capabilities and advancements have provided clearer knowledge of the environment and deeper insights into understanding where security issues exist. This will continue to evolve as a staple in securing a company’s IT assets.


Vulnerability identification has expanded to include investigating for misconfigurations, poor processes in access control, lack of system maintenance for known threat vectors and insecure coding practices. Innovation in exposure detection continues to deliver new tools and solutions to enable more robust examination and monitoring for security flaws. Identification not only detects irregularities at the specific instance level,but also explores the extent of potential impact and provides steps to resolve exposure. 


Not all things are created equal, including security issues. Determining the threat and risk from exposures requires acute understanding of the environment, controls deployed and knowledge of attack vectors that can be used for potential exploitation of a weakness against these controls at each level in the security stack. This complex analysis determines the level of severity and prioritization for remediation to deter possible impact to the business.


Remediation of vulnerabilities typically requires actions of the solution owner. This unanticipated work for the technologist can come at any time based on potential exposure, typically against planned schedules and often new to the technologist’s thinking. The art of Vulnerability Management lies in working with the solution owner in resolving issues in a timely manner through clearly communicating the details of the security finding and the associated risk. This often requires collaboration across the enterprise, helping technologists overcome obstacles, training in secure methods, analyzing trends, recognizing and resolving systemic issues, while tracking and reporting resolution to identified findings. This stage of Vulnerability Management is where you see key elements of the company culture in action.


Vulnerability Management efforts often commensurate with the size of the company’s technology footprint. For large companies, this may require a dedicated team to aggregate data from multiple sources and correlate finding details with asset management as well as ownership information in a continuous repeatable process. The sensitive nature of the discoveries would need to have strong controls and available on demand, presented in a consumable way to notify, monitor and track remediation efforts. 

The future

Companies must evolve to stay ahead in today’s global environment. Security and technology must be integrated with the business to adapt to the rapid pace.This involves being vigilant in updating solutions critical to organizations’ operations and mission as well as eliminating solutions with dated/immature security controls to reduce organizations’ security footprint from potential exposure.

Availability and accessibility of cloud processing allow for solutions to be deployed faster, which creates additional challenges for Vulnerability Management.The ephemeral nature of cloud technology can offer a level of obfuscation from threat actors, but does not remove a solution’s weaknesses. This transitory nature also challenges traditional tracking methods for Vulnerability Management. Innovation is providing capabilities for detection of insecure code/configuration and preventing security flaws prior to deployment. As technology changes,ensuring adaptive security controls to protect any environment is crucial. Vulnerability Management will continue to search for weaknesses not detected and for innovative ways to automate mitigation along with providing insight into where education, practices and hardening of controls need to improve.

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee