Is Your Vulnerability Management Program Context-Driven?

man at risk meter

What if you could minimize your organization’s information security risks, meet your management’s expectations, save time and money, plus boost morale? A context-driven vulnerability management program addresses these goals. By accurately evaluating the true risk associated with identified vulnerabilities, risk-rating your organization’s assets, and combining your evaluated vulnerabilities and risk-rated assets, you will be able to create a context-driven vulnerability management program that benefits your organization, your management, and your team. 

Table of Contents

What is a vulnerability management program?

A vulnerability management program is a systematic approach to identifying, prioritizing, and addressing vulnerabilities in an organization’s IT systems and infrastructure. The program is designed to reduce the risk of security breaches and data loss by proactively identifying and mitigating vulnerabilities before they can be exploited by attackers.

The key components of a vulnerability management program typically include:

  1. Asset inventory: A comprehensive inventory of all hardware, software, and data assets that need to be protected.

  2. Vulnerability scanning: Regular scanning of the organization’s systems and applications to identify vulnerabilities and weaknesses.

  3. Risk assessment: A process for analyzing the severity and likelihood of exploitation for each vulnerability, in order to prioritize remediation efforts.

  4. Remediation planning: A plan for addressing identified vulnerabilities, including patching, updating, or replacing systems or applications as needed.

  5. Incident response planning: A plan for responding to security incidents, including protocols for identifying and containing attacks, and restoring systems and data in the aftermath of a breach.

  6. Reporting and communication: Regular reporting on the status of the vulnerability management program to stakeholders, including senior management, IT staff, and external auditors.

Is a critical vulnerability really critical?

Not always. Most organizations use Security Content Automation Protocol (SCAP) scanners to detect vulnerabilities. However, SCAP scanners address only part of the vulnerability management equation. These vulnerabilities’ risk ratings are assigned in isolation, based on the ratings supplied by third parties. Further, many organizations neglect the exploitability rating of identified vulnerabilities. Thus, a vulnerability rated as “Critical” risk and “Very Low” exploitability is very different from a vulnerability rated as “Critical” risk and “Very High” exploitability. The priority for remediating these vulnerabilities would also be different. Evaluating vulnerabilities based on these different attributes permits more realistic action plans in terms of time and resources, and more effectively identified and addressed organizational risk. 

Vulnerability management banner ad

Are all assets created equal?

Usually not. Most organizations track their assets and are aware of their varying level of importance. However, the criticality rating of an organization’s assets is often a neglected part of the equation. Most organizations do not systematically review their assets and assign criticality. To do this, the business and IT should collaborate to rate the value of their data, their systems, and the systems that support those systems. Leadership will often be needed to ensure this collaboration occurs, as it can be easily pushed to the wayside by more pressing activities. The criticality of a server that is a Domain Controller is very different from the rating of a server that contains the cafeteria menu and has limited logical access. Let your asset rating process reflect these differences. 

Does your current vulnerability management program function optimally?

 Probably not. In many organizations, vulnerability management expectations and SLAs are based on volume of vulnerabilities rather than on the real risk of vulnerabilities. In essence, expectations are based on incorrect assumptions that impact the organization and team in a variety of ways. They typically lead to a higher workload – if the team is spending too much time on unimportant tasks, they might miss unidentified risk. They may not be able to meet their target deadlines and their target goals. They may be criticized by management for unvalidated reasons. 

Features of a context-driven vulnerability management program

A context-driven vulnerability management program integrates appropriately evaluated vulnerabilities with risk-rated assets to accurately define true risk. Both parts of the equation vulnerabilities, viewed under the lens of exploitability, and asset value and criticality are included to create a context-driven vulnerability management program. A context-driven program is aligned with the business’s risk management process, the Business Impact Analyses (BIA) and/or Business Continuity / Disaster Recovery efforts. A context-driven management program establishes realistic expectations for the team’s vulnerability management activities. Plans are prioritized according to risk. Timing and the team’s efforts are more realistic and effective. We encourage you to revisit how you evaluate your vulnerabilities and rate the risk of your assets.   

7 steps to creating a successful program

Creating a context-driven vulnerability management program involves several key steps. Here are some tips to help you get started:

1. Define your context

The first step in creating a context-driven vulnerability management program is to define your context. This includes understanding your organization’s business objectives, IT infrastructure, and the types of data you handle. This will help you identify the types of threats and vulnerabilities that are most relevant to your organization.

2. Prioritize your assets

Not all assets are created equal, and some are more important than others. Prioritizing your assets based on their value to the organization will help you focus your efforts on protecting the most critical systems and data.

3. Conduct regular vulnerability assessments

Regular vulnerability assessments are essential to identify potential vulnerabilities and threats to your organization. These assessments can be conducted internally or by a third-party vendor, and should be based on your organization’s context and priorities.

4. Develop a risk management plan

Once you have identified potential vulnerabilities, you need to develop a risk management plan. This plan should include strategies for reducing the likelihood and impact of each vulnerability, and should be based on your organization’s priorities and risk tolerance.

5. Implement a patch management process

Implementing a patch management process is critical to keeping your systems and software up-to-date with the latest security patches. This can help prevent known vulnerabilities from being exploited by attackers.

6. Monitor and respond to threats

Monitoring for potential threats and responding to incidents is an essential part of any vulnerability management program. This includes monitoring for new vulnerabilities, suspicious activity, and responding quickly to incidents when they occur.

7. Continuously evaluate and improve

 Your vulnerability management program should be an ongoing process of evaluation and improvement. This means regularly reviewing your program, assessing its effectiveness, and making changes as needed to better protect your organization.


Creating a vulnerability management program can be a challenge. From prioritizing tasks to balancing work against a budget, there is a lot to consider. The Foresite Cybersecurity team has the knowledge and experience to help organizations of all sizes create a context-driven vulnerability management program that benefits your IT team, security professionals, and organization as a whole. Contact us today to learn more!

Thomas Allen
Principal Consultant / Information Security Officer – C|CISO, CRISC, CCSP, ISO 27001 LA, CISA, CISSP, HCISPP, GCCC, GCFA at Foresite Cybersecurity | + posts

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.