Vulnerability Management Maturity Model

I’ve been working on this for a couple months now.¬†Basically, we all know the truth of the matter is that intrusions happen because we security guys are not able to patch the things that matter, fix the areas that intruders will use to break in and steal credit cards or SSN’s or … passwords, now.¬†I realize that there is a lot of hype about advanced bad guys, zero day exploits, and so on. And there are things there to be worried about.

However, the vast majority of all cyber-crime is happening because we are not doing the basics well. That was a major factor in my deciding to move to Core Security last year. I wanted to make a difference for a lot of people, across the whole of security. We focus on something that I think is key in all of this, which is dealing with the data overload that exists around vulnerability management. As part of this effort, I realized that most companies really have no idea if their vulnerability management is good or bad, how to measure it, what constitutes a good patch lifecycle, and so forth. Most companies vulnerability management is more like whack-a-mole than like a mature security program.

I decided to take a stab at helping to fix that. Over the last few months I’ve been working on a maturity model and roadmap for maturity for Vulnerability Management. I’ve drawn on my experience at EDS, at Providence Health & Services as CISO for 7 years and now my time at Core and working with our customers. The model is aimed at a security management level and focuses on building the right processes, coordinating activity across departments, and putting technology in place where it makes sense.

We are going to release the model publicly at BlackHat – come see us at Booth 735 for the first look and a discussion around where you fit within the model and what activities make sense to move to a new level of maturity.

There are prettier versions coming, but here is the maturity model itself. The roadmap will follow soon.



Rob Lemos (@roblemos on Twitter) wrote a nice piece yesterday for eWeek specifically on the work we are doing around improving maturity for vulnerability management programs.

This entry was posted in Conferences, InfoSec, Security, Vulnerability Management and tagged , , , , , . Bookmark the permalink.