8CIOReview | | DECEMBER 2022IN MY OPINIONMATURITY OF VULNERABILITY MANAGEMENT IN SECURING AN ORGANIZATION'S IT ASSETS By Nichole Bray, Director of Vulnerability Management, Global Tech Information Security, WalmartTechnology is used in every part of our lives and new solutions are continuously being developed.These solutions are more complex, integrated and essential. The speed to resolving technology weaknesses has become more crucial and requires building in security at all levels.Organizations must have a defense against known security flaws and processes for keeping up with emerging security challenges.Vulnerability Management fulfills this critical role as the process of identifying, evaluating, addressing and reporting security issues in systems and the software deployed. The continuous lifecycle affords a persistent level of defense and is an integral part of any security strategy. The outcome is understanding where and how a company's data lives and is accessed, identifying where potential weaknesses exist, evaluating them against security controls deployed and making informed decisions about necessary corrections and how quickly to ensure company assets and customer data are secure.This is essential for prioritizing possible threats and minimizing attack surface; a discipline constantly evolving and requiring a balance of science and art.Success rests in understanding the extent of the organization's environment and its changes. Accuracy in data is vital to addressing any identified finding; pinpointing where weakness exists as well as knowing who is responsible for that technology and how it can be leveraged as a threat. Most importantly is company culture, commitment and leadership dedication to data security.Vulnerability Management todayTraditionally, this discipline has been regarded as port scanning of a company's external IP space and ensuring a sound patch management program is in place to address security weaknesses associated with third-party systems. Overtime, the capabilities and advancements have provided clearer knowledge of the environment and deeper insights into understanding where security issues exist. This will continue to evolve as a staple in securing a company's IT assets. Identification: Vulnerability identification has expanded to include investigating for misconfigurations, poor processes in access control, lack of system maintenance for known threat vectors and insecure coding practices. Innovation in exposure detection continues to deliver new tools and solutions to enable more robust examination and monitoring for security flaws. Identification not only detects irregularities at the specific instance level,but also explores the extent of potential impact and provides steps to resolve exposure. Prioritization:Not all things are created equal, including security issues. Determining the threat and risk from exposures requires Nichole Bray
< Page 7 | Page 9 >