Skip to content ↓ | Skip to navigation ↓

The key to having a good information security program within your organization is having a good vulnerability management program. Most, if not all, regulatory policies and information security frameworks advise having a strong vulnerability management program as one of first things an organization should do when building its information security program.

The Council on Cyber Security specifically lists it as number four in the Top 20 Critical Security Controls.

Over the years, I’ve seen a variety of different vulnerability management programs and worked with many companies with various levels of maturation in their VM programs. This post will outline the five stages of maturity based on the Capability Maturity Model (CMM) and give you an idea as to how to take your organization to the next level of maturity.

What is the Capability Maturity Model?

The CMM is a model that helps develop and refine a process in an incremental and definable method. More information on the model can be found here. The five stages of the CMM are:


CMMI Staged Approach

Stage 1: Initial

In the ‘Initial’ stage of a vulnerability management program there are generally minimal processes and procedures, if any. The vulnerability scans are done by a third-party vendor as part of a penetration test or part of an external scan. These scans are typically done from one to four times per year at the request of an auditor or a regulatory requirement.

The vendor who does the audit will provide a report of the vulnerabilities within the organization. The organization will typically remediate any ‘Critical’ or ‘High’ risks to ensure that they remain compliant. The remaining information gets filed away once a passing grade has been given.

I recently wrote a post on how security is not just a check box anymore. If you are still in this stage, you are a prime target for an attacker. It would be wise to begin maturing your program if you haven’t started already.

Stage 2: Managed

In the ‘Managed’ stage of a vulnerability management program the vulnerability scanning is brought in-house. The organization defines a set of procedures for vulnerability scanning. It would purchase a vulnerability management solution and begin to scan on a weekly or monthly basis. Unauthenticated vulnerability scans are run and the security administrators begin to see vulnerabilities from an exterior perspective.

Most organizations I see in this stage do not have support from its upper management, leaving them with a limited budget. This results in purchasing a relatively cheap solution or using a free open source vulnerability scanner. While the lower-end solutions do provide a basic scan, they are limited in the reliability of their data collection, business context and automation.

Using a lower-end solution could prove to be problematic in a couple of different ways. The first is in the accuracy and prioritization of your vulnerability reporting. If you begin to send reports to your system administrators with a bunch of false positives, you will immediately lose their trust. They, like everyone else these days, are very busy and want to make sure they are maximizing their time effectively. Having the trust of the system administrators is a crucial component of an effective vulnerability management program.

The second problem is that even if you verify that the vulnerabilities are in fact vulnerable, how do you prioritize which ones they should fix first? Most solutions offer a High, Medium, Low or a 1-10 score. With the limited resources system administrators have, they realistically can only fix a few vulnerabilities at a time. How do they know which 10 is their most 10 or which High is the most High? Without appropriate prioritization, this can be a daunting task.

Stage 3: Defined

In the ‘Defined’ stage of a vulnerability management program the processes and procedures are well-characterized and understood throughout the organization. The information security team has support from their executive management, as well as trust from the system administrators.

At this point, the information security team has proven that the vulnerability management solution they chose is reliable and safe for scanning on the organization’s network. Authenticated vulnerability scans are run on a daily or weekly basis with audience-specific reports being delivered to various levels in the organization. The system administrators receive specific vulnerability reports, while management receives vulnerability risk trending reports.

Vulnerability management state data is shared with the rest of the information security ecosystem to provide actionable intelligence for the information security team.

The majority of organizations I’ve seen are somewhere between the ‘Managed’ and the ‘Defined’ stage. As I noted above, a very common problem is gaining the trust of the system administrators. If the solution that was initially chosen did not meet the requirements of the organization, it can be very difficult to regain their trust.

Stage 4:  Quantitatively Managed

In the ‘Quantitatively Managed’ stage of a vulnerability management program, the specific attributes of the program are quantifiable and metrics are provided to the management team. The following is a summary of the automation metrics recommended by the Council on Cyber Security:

  1. What is the percentage of the organization’s business systems that have not recently been scanned by the organization’s vulnerability management system?
  2. What is the average vulnerability score of each of the organization’s business systems?
  3. What is the total vulnerability score of each of the organization’s business systems?
  4. How long does it take, on average, to completely deploy operating system software updates to a business system?
  5. How long does it take, on average, to completely deploy application software updates to a business system?

These metrics can be viewed holistically as an organization or broken down by the various business units to see which business units are reducing their risk and which are lagging behind.

Stage 5: Optimizing

Lastly, in the ‘Optimizing’ stage, the metrics defined in the previous stage are targeted for improvement. Optimizing each of the metrics will ensure that the vulnerability management program continuously reduces the attack surface of the organization. The information security team should work together with the management team to set attainable targets for the vulnerability management program. Once those targets are met consistently, new and more aggressive targets can be set with the goal of continuous process improvement.


As one of the top four of the Top 20 Critical Security Controls, vulnerability management is one of the first things that should be implemented in a successful information security program. Ensuring the ongoing maturation of your vulnerability management program is a key to reducing the attack surface of your organization. If we can each reduce the surface the attackers have to work with, we can make this world more secure, one network at a time!

<!-- -->