Crafting a Successful Vulnerability Management Process Framework



This is the third and last blog in a three-part series on the gaps in many vulnerability management programs. Focusing on the core elements or “stool legs” of technology, people and process, this third blog post examines the role of process. Catch up on the series by reading the previous blogs covering the technology and people legs.



Process: Crafting the Framework for Success

To facilitate effective people and technology management, process is imperative. This last leg of the three-legged stool focuses on establishing repeatable processes and transparent priorities.



Challenges in Establishing Robust Processes

While technology and skilled professionals are essential components of vulnerability management, the absence of well-defined processes can undermine these efforts—leading to inefficiencies, confusion and missed opportunities.


To define clear workflows for vulnerability management, I recommend outlining the steps from detection to remediation. A team can leverage automation to streamline and enforce defined processes—thus reducing the risk of human error and better ensuring consistency. By implementing a culture of continuous improvement, which involves regularly reviewing and refining processes based on lessons learned and changing threat landscapes, a vulnerability management team can craft a more robust framework.


Getting started with defining clear workflows for vulnerability management can be a foundational step in building a robust cybersecurity framework. Begin with a comprehensive understanding of your organization's IT landscape. Identify critical assets, network architecture and potential vulnerabilities. The organization must conduct a thorough asset inventory and risk assessment to prioritize areas that require immediate attention. Next, define basic processes for vulnerability detection, assessment and remediation. Start with a simplified workflow that covers the essential steps. Document these baseline processes, ensuring clarity on roles, responsibilities and communication channels. To finalize the beginning steps of establishing processes, an organization should explore established cybersecurity frameworks like NIST, ISO 27001 or CIS controls. These frameworks provide guidelines for vulnerability management processes. Tailor these frameworks to align with the organization's specific needs and requirements.



The Heart of Effective Vulnerability Management

Not all vulnerabilities are equal in severity. Failing to prioritize risks based on their potential impact can lead to a misallocation of resources. Integrating real-time threat intelligence to understand the current threat landscape is paramount.


To successfully implement actionable intelligence into vulnerability, it is crucial to provide feedback on current intelligence and ask how that intelligence is relevant to your operations and organizations - this drives prioritization. By providing the intelligence team with visibility into the critical systems and software, as well as requesting a risk profile of each of those systems, vulnerability management teams can support the refined collection of real-time and long-standing threats to those systems. In turn, the intelligence team can provide information on relevant threat actor techniques, tooling and attack vectors/scenarios. Finally, to ensure a strategic and targeted approach, I recommend conducting a business impact analysis that assesses vulnerabilities based on their potential impact on critical business functions.



Real-World Scenario

When working with clients, we often find that organizations have capable individuals and technologies to handle vulnerability management. However, sometimes the third critical piece is missing – the establishment of robust processes.


In a recent engagement, we found ourselves dealing with a company that neglected to establish a solid foundation of processes. The organization had initiated a vulnerability management program (at least they thought they did) without having the backbone of process in place. The client was struggling with inconsistent reporting, communication failures and ultimately a lack of effective remediation. The teams involved found themselves in a state of confusion, lacking no guidance on how to operate an efficient vulnerability management program. This led to valuable resources leaving the company and ultimately causing the second leg of the VM stool to fail as well.


This scenario underscores the critical importance of not just having capable individuals and advanced technology, but also of implementing well-defined processes. To enhance a vulnerability management program suffering from similar concerns, I recommend the following steps:


  • Develop well-defined policies that govern the program. Such policies should clearly articulate the roles and responsibilities of each team and its members, establish reporting protocols and outline the steps for remediation. This is a base for the entire VM process.
  • Create detailed standard operating procedures (SOPs) that serve as a guide for executing tasks spelled out in the policies.
  • Conduct regular audits and establish a continuous improvement framework to review policies and procedures.



Conclusion: Forging a Resilient Foundation

In the intricate dance of vulnerability management, the three-legged stool metaphor epitomizes the delicate balance required to navigate the complexities of the digital landscape. By acknowledging and addressing the challenges within each leg—technology, people and processes—organizations can forge a resilient foundation that is better capable of defending against evolving cyber threats. If there is an imbalance or missing leg to the three-legged VM stool, this will increase the risk of inadequate responses to cyber threats, potential human errors and overall inefficiencies that ultimately will lead to a security incident.


Organizations that invest in cohesive, integrated and forward-looking vulnerability management strategies will not only safeguard their digital assets, but also position themselves as leaders in the ongoing battle against cyber adversaries. The path to cybersecurity resilience is an ongoing journey—one that requires continuous adaptation, collaboration and commitment to the principles that underpin the three-legged stool of technology, people and processes.

Shaun Kummer
Vulnerability Management and Remediation Practice Leader | Optiv
Shaun leads Optiv’s Vulnerability Management and Remediation practice, a part of the Threat business unit. He assists organizations design, deploy and solve problems that exist within their vulnerability management programs. Shaun’s approach is pragmatic, ensuring practical solutions that address real-world issues to assist organizations navigate the complexities of security challenges.

Shaun’s diverse career spans federal and local governments, as well as corporate environments. Before joining Optiv, his focus was primarily on corporate threat and vulnerability management. Notably, Shaun is a U.S. Army and law enforcement veteran, having served in Military Intelligence, HUMINT and law enforcement roles.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit