Vulnerability Management: Is In-Sourcing or Outsourcing right for you?
September 1, 2020
As the cyber threat landscape continues to grow ever larger and more complex, so does the ability to identify and evaluate weaknesses in your own defenses. That’s why vulnerability management (VM) should be considered a specialized area of expertise.
In this three-part series, we first discussed what a vulnerability assessment is and why it’s important. If you want to learn the difference between a vulnerability scan and an assessment as well as why you need to include this valuable tool in your cybersecurity program, you can access that post here.
Then, we explored the attributes of a robust vulnerability management program. To learn what makes up a vulnerability management program capable of providing a deeper understanding and control over organizational information security risks, access that post here.
In this article, the last of three, we’ll examine the different components of vulnerability management and when and where outsourcing makes sense for your program.
What is Vulnerability Management?
Vulnerability management is defined by Techopedia as “a security practice specifically designed to proactively mitigate or prevent the exploitation of IT vulnerabilities which exist in a system or organization.”
VM is further broken down into separate phases to help get the job done. These are; identifying threats, classifying them in terms of risk, prioritizing them according to their potential impact, remediating those that can be fixed, and mitigating as much as possible those that cannot through the implementation of compensating controls.
Most scanners rely upon the National Vulnerability Database for the reference data of vulnerabilities published by software manufacturers. Since new threats and vulnerabilities are constantly being discovered and published in the NVD, the process is cyclical and never-ending – one with which many organizations struggle to keep up.
Problems with In-House Vulnerability Management
Typically, especially with smaller companies, VM has either been ignored or been inconsistently handled with a tactical focus by the existing IT team without much thought being given to governance. For those with fewer dollar resources and smaller networks, this used to make sense. However, the problems many companies have with this model often boil down to a) a lack of expertise in emerging threats; b): an inability to effectively prioritize which ones have the potential to harm their business the most; and c): an inadequate or non-existent governance model which is aligned with the organization’s risk management process.
This means that many businesses may do a periodic scan of their systems but likely don’t understand what needs to be done first, second or third; how quickly it needs to be done, or how to measure success.
For the organization choosing to manage this themselves, finding and retaining skilled professionals can be challenging in today’s job market.
Is Outsourcing Right for You?
Since VM cannot be ignored, you may want to consider outsourcing for the reasons mentioned above. You should ask yourself questions such as:
Do I have the budget to expand my IT department?
Do I have access to the right pool of talent to hire, train and retain internal staff?
How big is my organization's attack surface?
Am I in a high-risk industry (such as retail or medicine) where a breach would be devastating to my enterprise and our clientele?
While size is a factor, both small and large companies can benefit from leveraging the expertise of a partner. Small companies can get enterprise-level services for a fraction of the cost of supporting full-time employees; large companies can relieve their IT departments of time-consuming tasks and still save money.
This allows for both to focus on their core competencies – the outsource provider brings platform and process expertise to the table to help guide program maturity while handling the grind of scanning, analysis, and reporting. This frees up the customer organization to focus on operating their business and handling strategic technology initiatives.
A qualified third-party company that specializes in VM already has certified security professionals on board who are not only up to speed with the latest threats, but always use the most effective detection tools and are in the loop of important new information.
Choosing the Right VM Company
If you answered in the affirmative to outsourcing VM, you’ll want to know how to select a company that is truly going to help you shore up the weaknesses in your defenses. First, you want one that has years of experience protecting businesses and offers dedicated support 24/7.
Crucially, they need to have a team of certified consultants skilled in the application of industry-standard frameworks like NIST CSF and MITRE ATT&CK to assess all vulnerabilities.
Lastly, you will want a company that will give you expert advice about mitigating threats that you need to keep your business running smoothly. For a more detailed comparison of in-house vs. outsourcing managed security services, download this free report.
