By: Apurv Tiwari
August 4, 2020
Executive Vulnerability Management - Course Review
By: Apurv Tiwari
August 4, 2020
The vulnerability management domain focuses on how organizations identify, analyze, and manage vulnerabilities in a critical service's operating environment.1
Understanding how to identify, evaluate, and treat vulnerabilities is instrumental in the success of any organization. A successful vulnerability management program consists of 4 key elements:
- Vulnerability Assessment - Identifying weaknesses, risks, and exposures.
- Vulnerability Management tools - Vulnerability scanners, deep learning, AI.
- Integration and Alignment - Systems, processes, key stakeholders.
- Agility - Cyber resilience and scale.
I was primarily looking for a course that would succinctly describe a big overarching picture of what vulnerability management looks like at an executive leadership level.
The Executive Vulnerability Management course is a perfect fit. It also teaches about ways of improving and streamlining vulnerability management practices, challenges faced during patch management lifecycle, and overcoming said challenges.
Prerequisites and Key Audience
As the course title suggests, this course is an executive course. So, it is an advanced level course.
It assumes the following:
- A general understanding of how computer systems function, what information technology is, and its security principles.
- Aimed at IT Security Manager and above (Part of the executive management team).
- A general idea of vulnerability management and its practices.
- Some exposure to frameworks like NIST 800-53, RMF(RIsk Management Framework), Patch Management Lifecycle.
Supplemental Resources included:
The course is user friendly enough to include a set of notes that assist in walking through and adding a quick reference guide of sorts. I found the study guide exceptionally useful throughout the course, adding my notes to the document.
Here is a quick dive into what it's various modules are and what they talk about.
Module 1: Vulnerability Management
This module effectively covers a short revision of the terms generally associated with vulnerability management, how to build a successful vulnerability management program, who the security teams should comprise, what their responsibilities would be and what is expected out of the executive leadership, and how to create a risk committee.
Module 2: Tools/Technology
This module emphasized the importance of patch management, security scanning, and ticketing/tracking software, introducing me to various tools to make life easier. It also covered creating effective workflows for vulnerability management. Furthermore, it dived deeper into what kind of technical skills would be needed to build a well-rounded vulnerability management team, especially their roles and responsibilities.
Module 3: Common Problems in Vulnerability Management
This module dug deep into many problems (and their mitigation) that commonly plague vulnerability management; a few of them being dissimilar patching cycles, redundant software (end of life software), determining the software/hardware needs, requirements and regulations(based on industry type private or public), vulnerability scoring methodologies, and remediation and prioritization(especially automation).
Module 4: Solving Vulnerability Management Issues
This module provides closure to all of the foundations built till now. It covers how the members of the security team can work efficiently (by aligning teams); consolidating products (both software/hardware) to improve vulnerability management; a touch upon risk identification, risk analysis and understanding your risk profile, and automating vulnerability scanning, reporting, threat identification, documentation, and scripts.
It ends with a set of takeaways, especially for executive leadership and management teams.
These are some highlights of what I took away from the course:
- Vulnerability Management isn't a one time exercise; there must be continuous monitoring; the more frequent, the better.
- All teams must undergo security training; for example, getting developers to understand security will enable removing a lot of the simpler vulnerabilities.
- Ensure that communication (looking for weekly reports) regarding vulnerabilities is regular; it shows people places where we could have messed up and steps to improve the scenario .
Instructor: Dr. Nikki Robinson Difficulty: Advanced Duration: 2 hours 35 minutes CEU/CPE: 3
- CRR Resource Guide, US-CERT https