This IDC PlanScape provides a step-by-step guide for building, enhancing, and running a vulnerability management capability. While setting up a vulnerability scanner and running scans on the most obvious company systems is relatively easy, doing so to ensure full coverage of the entire IT landscape - and following up to resolve identified vulnerabilities and their root causes - is more difficult, requiring extensive cooperation between business and IT. On top of the complexity of resolving and managing vulnerabilities, a vulnerability management capability needs leadership buy-in for business and IT to provide the right priority and resolve the vulnerabilities (along with other competing priorities)."The vulnerability management process is critical in identifying and resolving potential vulnerabilities," says Nick Kirtley, adjunct research advisor for IDC's IT Executive Programs (IEP). "The security team, business, and IT must work together to reduce vulnerabilities and manage vulnerability-related risk. This shuts the door to attackers trying to do harm to your business."
Please Note: Extended description available upon request.
IDC PlanScape Figure
Executive Summary
Why Is Vulnerability Management Important?
Identification of Vulnerabilities
Remediating and Managing Vulnerabilities
Vulnerability Management Highlights the Overall Health of the IT Landscape
What Is Vulnerability Management?
Vulnerability Scanning
Other Methods and Tooling to Identify Vulnerabilities
Managing, Mitigating, and Remediating Vulnerabilities
Vulnerability Severity and Risk
Who Are the Key Stakeholders?
How Can My Organization Take Advantage of Vulnerability Management?
Begin with a Foundational Vulnerability Management Capability
Improve Your Understanding of the IT Landscape
Periodically Monitor Scanning Results
Speak the Language of IT Teams and Business Departments
Improve Cooperation with Other Security Teams and Capabilities
Improve Cooperation with Third-Party IT Service Providers Where Relevant
Reduce Vulnerabilities at Scale Where Possible
Improve Reporting
Improve Vulnerability Remediation Prioritization with Severity Data and Contextual Review