What The Nerds Say Vulnerability Management Is

People today, especially us techie nerds, love to overcomplicate the technologies we use and also the programs and processes we use to secure those technologies. When we talk about vulnerability management, they may bring up how certain protocols could get you hacked, how missing a patch leads to compromise or using C or Java for your programming language in app development will most definitely lead to ransomware.

What Vulnerability Management REALLY Is

Simply put, vulnerability management (key word being MANAGEMENT) is essentially just risk management. A vulnerability, in a non-technical sense, could be leaving your garage door open while you're away. Simple right? Taking it a step further, the only reason we may care about a vulnerability is if there is a threat. In this instance, a threat could be rain flooding your nice clean garage, or a thief seeing his chance to steal some power tools sitting on your work bench.

How This Applies To Business

Figuratively speaking every piece of technology is full of doors, windows, etc. where bad guys can crawl their way into your system and either steal information, lock down your system to the point it is unusable (Ransomware), or perhaps they just access things like your webcam or microphone to spy on you.

In this post we’re addressing the vulnerabilities that exist in your business from the perspective of information security - weaknesses that open up to threats the confidentially, integrity and availability of all the information critical to your business. This is true for small and medium size businesses, as well as for government and non-profit organizations, not only for large enterprises. Everyone can be a target, so don’t think you’re too small and breaches only affect larger organizations. Statistics have revealed that vulnerabilities are among the top reasons for breaches affecting many smaller organizations, not only larger enterprises.

Prioritize Vulnerability Remediation

First and foremost, we need to identify these vulnerabilities to determine what we need to address and how quickly we need to address it. Using our house and garage example, if we have a window that is unlocked and left wide open, it is considered a vulnerability. In fact, some people may even see an open window as a critical vulnerability. But what if I told you that the open window is on the third story of a house. This changes things a bit, right? The same concept applies to cybersecurity. There may be some critical vulnerabilities in our environment, but if they are out of the reach of the bad guys, then do we really care?

Companies can have large amounts of vulnerabilities depending on their size. This we know for a fact. Undoubtedly, your business has them, too.

Don't get discouraged by this, instead, prioritize and start with the most critical first. Once those are done, you can move on to the highs, then the mediums and finally the lows. Find ways to automate vulnerability remediation, this can be done by having a patch management program, or by allowing your devices and applications to just automatically update. This can also take stress off your IT/cybersecurity teams and allow them to prioritize other, potentially more important efforts.

What You Can Do To Address Vulnerabilities In Your Business

This all comes back to risk management. You first need to know all the technologies you have, whether it is in your home or your business. Think computers, servers, IoT devices, and really anything with a ‘heartbeat’, or an IP address found on your network. Next comes scanning. Scanning those technologies for vulnerabilities (there are many programs out there for doing this), will reveal important details about the systems on your network. Things such as operating system versions, application versions, available services and ports, all of which can be used by an attacker if they target your organization (or home network). Once you scan everything for vulnerabilities, they have to be assessed and a determination needs to be made which ones require immediate attention. You prioritize the vulnerabilities based on the level of impact to your business if someone tried to use those vulnerabilities to maliciously gain access to your systems and data.

Vulnerability management is an ongoing process. A well-designed vulnerability program will use the resources available to your organization wisely, focusing only on assets that are in scope, prioritizing the vulnerabilities and their remediation well and reducing them to a risk level acceptable to your business.

If your business doesn’t have such a program in place, you might want to do something about it as soon as possible. Information security organizations like Executive Solutions USA offer vulnerability management services as a stand-alone offering, or as part of managing your entire security stack. This isn’t an one off project, but rather a service that is part of the overall strategy to protect your organization from criminals targeting your information assets.

Guest author Dan Ovick is a vulnerability management expert working for a large Minnesota enterprise. He has worked in the IT/Cybersecurity industry for over 5 years, doing everything from endpoint security services to briefing executives on information security. His area of passion revolves around Vulnerability Management and Risk Management (especially Third-Party risk). You can connect with Dan over www.linkedin.com/in/dovick/

Why Your Business Needs Vulnerability Management © 2025 by Plain Talk Cyber, Dan Ovick, George Bakalov, Executive Solutions USA, LLC. is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International