Subscribe
  • Home
  • /
  • Malware
  • /
  • Establishing a vulnerability management programme

Establishing a vulnerability management programme

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 19 Jan 2018
Lydie Nogol, senior manager Information Security, MTN Cameroon.
Lydie Nogol, senior manager Information Security, MTN Cameroon.

Today's businesses are focusing on scanning for, and fixing vulnerabilities, rather than having a holistic approach to managing vulnerability risk.

In fact organisations spend billions on vulnerability scanners to identify vulnerabilities which can be managed technically, mostly for compliance purpose.

This is according to Lydie Nogol, senior manager Information Security, MTN Cameroon, who will be doing a presentation on 'Establishing a quality vulnerability management programme', at the ITWeb Security Summit 2018, to be held from 21 to 25 May at Vodacom World in Midrand.

She says currently there is a very limited, or non-existent, matching performed between a discovered vulnerability and how it affects the business and its mission. Vulnerability management is viewed as being technology driven, and not requiring the involvement of business unit or senior management.

A risk-driven approach

ITWeb Security Summit 2018

Registration is already open for the ITWeb Security Summit 2018. There are at least three international plenary speakers, the #SS18HACK, two half-day workshops or a one full-day workshop plus training courses to choose from, and much more. For the agenda, click here. For the first time, the ITWeb Security Summit will also take place in Cape Town.

So what could businesses be doing better? "They should implement a risk-driven approach to vulnerability management, which should be aligned with the overall security and business strategy."

What is needed is a good understanding of the company's mission-critical processes, in order to prioritise and focus on what matters to the business, as opposed to wasting efforts on closing all vulnerabilities for compliance purposes.

"Security professionals need to gain the approval and support of senior management. Remediation should not focus on software patching, but should include other security processes such as secure configuration, security awareness and training, security by design, security in the development lifecycle, and similar."

Delegates attending Nogol's talk will learn about the importance of setting up a vulnerability management programme in today's context, and will receive tips on how to get support from top management for managing threats and vulnerabilities, and demonstrate value through metrics and measurement.

They will also be shown the key elements and correct approach for the successful implementation of vulnerability management programmes, including key roles and responsibilities.

Share