It is essential for the success of your Vulnerability Management programme to obtain the right internal sponsorship as early as possible. Some things to consider …
VM programmes that are driven by the Security Team because they know it’s the right thing to do are very unlikely to succeed. This is because they are competing for meagre resources, most of which are already claimed by officially sanctioned programmes. Instead communicate the benefits to senior management of a functioning VM programme. With management onside you’ll have a far better chance of success.
Early and often. Your VM programme will affect and be affected by many other teams. Connect with them, explain what you’re doing and why and explain the benefits that they can obtain by the whole process.
Demonstrate how their lives will be be easier when you start making the information you’re going to gather available to them.
For example, speak with the Licence Management team and offer them automatic updates and reports on what software is deployed where in the organisation. It’s a by-product of your VM programme so why not make it available ?
Where possible empower internal teams to self-manage their part of the programme. This has several benefits.
You no longer need to run every scan for every department every time they need it. They know their own work and patch schedules so they can run verification scans to prove their patching was effective.
Give them the ability to prioritise what they will improve this month. Let them take ownership of the BAU process.
Move the Security Team’s function to one of overall management and assistance where needed.
Quantify ROI to Management
With the move to overall management the Security Team can focus on reporting progress in meaningful terms. See this post for more info.
Security in Every Role
Extend Security to be part of everyone’s role by empowering teams to have some say over their ultimate destiny. If you don’t allow them to prioritise and report on improvements they are unlikely to buy in to the process which will in turn limit its effectiveness.