What is vulnerability management and how do you enforce it in your organization? If you ask a security expert, most would respond the following way: it is a list of vulnerabilities on an operating system or application that need to be patched with the latest security updates. And, for the most part, they would be correct, but true vulnerability management (VM) is significantly more.
Wikipedia defines vulnerability management as “the cyclical practice of identifying, classifying, prioritizing, remediating and mitigating software vulnerabilities.” It goes on, stating, “it is integral to computer security and network security, and must not be confused with vulnerability assessment.” Although true, I argue that the scope should be larger and that true VM also requires a focus on the weaknesses that involve people, processes and business relationships, as well as technology.