How Good is Your Vulnerability Management Shopping List?
Buyers always identify multiple factors when they evaluate technical solutions, and they try to choose the features that are most important to their business to navigate the sea of possible solutions.
It’s important to define the most important qualities for your unique business when you’re considering the purchase of a vulnerability management product. And while this is the same process used in most software purchase decisions, in my view, it’s the place where a lot of buyers of VM products make crucial mistakes.
The problem is that they tend to focus too much on technical requirements like coverage breadth, speed and configuration details.
This is not to say that the technical requirements of a VM solution aren’t a critical part of the decision making process. They absolutely are, but there are some business requirements that should be near the top of your VM purchase checklist as well, and these deserve the same level of attention given to technical requirements but they don’t typically get them.
I know that some people will think that if the technical requirements are met, the business requirements will follow but I disagree. In my experience, too often IT and security buying decisions are lead by technical requirements instead of business requirements.
IT is a service organization to the company and the business needs sometimes need to trump technical needs– here’s why.
One Size Doesn’t Fit All
The way a VM solution reporting tools fit into your business process is crucial. If you don’t factor this into your purchase decision, and the system you buy isn’t a good fit, you will never be able to realize the full value vulnerability management.
Or, like many organizations, you may be able to eventually realize that value but it will take a lot of custom integration development and slow down the process tremendously.
So, if reporting is that important, how should you evaluate proposed solutions fit for existing business and/or security processes?
How Solid is Your Foundation?
Before I can answer that question, I need to digress a bit because the root of this issue is resources. The reality is that managing the vulnerability management program is resource intensive. Many organizations start vulnerability management with high expectations and immediately scan all their assets.
After all, the concept of vulnerability management is pretty simple; scan, remediate or mitigate, repeat. The reality is that this ‘simple’ process can consume a lot of resources and time, not just from the security team but from several other departments.
Vulnerability management is a cornerstone of effective security programs, and like any foundation, it touches and supports many other areas.
Integration and Dis-integration
With this reality mind, it’s important to consider how potential VM solutions integrate with existing business tools and processes such as ticketing systems, ERP solutions, governance programs like COBIT or SOX and various reporting tools.
Don’t stop there though. Spend some time considering if / how information the proposed VM solution will integrate with other security and IT tools such as a SIEM, DLP solutions, firewalls, IPS devices, configuration management tools, patch management and asset management tools.
If your company is lucky enough to have internal IT development staff, or if you have the budget to contract with professional services experts to do custom integration work, be sure to factor that into the cost of implementing the solution.
It goes without saying that you’re going to need to ensure the VM solution has an API robust enough to integrate well the various tools that are important in your business.
Reporting for Duty
Let’s face it; the abundance of data a vulnerability management solution collects can be daunting or even overwhelming. As an example, with Tripwire’s IP360 product, a scan of a single Windows domain controller can easily create a report that is 3 pages long.
Extracting the data that’s meaningful and actionable to various stakeholders is crucial to the success of the VM program. Since executives are typically more concerned with governance than the details of security implementation, you need to ensure the system you select can report high level metrics that will demonstrate the effectiveness of the vulnerability management program over time.
Middle management will also be interested in program effectiveness but they also want a VM solution that provides actionable tasks for tactical staff. Tactical staff needs clear direction that’s solution oriented.
These teams need details that show exactly which configuration parameters to change on specific end points or the specific patches that should be installed. As you can see, vulnerability management reporting programs need to address the needs of many different audience types.
That’s why companies evaluating vulnerability management solutions should keep the big picture of business requirements in mind during the buying process.
Integration with existing business processes and the importance of targeted reporting are just two factors to consider in buying a VM product, but they are crucial items that can easily get lost in the shuffle during the purchase process.
Don’t let that happen to you– spend the time up front consulting with the parts of your business VM will touch so you understand their requirements and then update your checklist accordingly.