Understanding Vulnerability Management Today
Organisations today face an overwhelming volume of vulnerabilities. With over 40,000 new vulnerabilities disclosed annually, security and IT teams struggle to determine which ones genuinely threaten their business. Recent incidents at M&S and Jaguar Land Rover illustrate how basic maintenance failures – unpatched systems and outdated software – can create serious security gaps.
The answer lies in automation. By automating patching of operating systems and 3rd party patches across your environment, you can address the vast majority of vulnerabilities systematically and efficiently. The role of vulnerability management isn’t simply to prioritise what to patch – it’s to identify gaps in your automation strategy, highlight what you’re missing, and reveal opportunities for further automation. When you encounter vulnerabilities that can’t be automatically patched, that’s your signal to either extend your automation capabilities or understand why manual intervention is necessary.
Beyond CVSS Scores
Most organisations rely primarily on CVSS scores for vulnerability prioritisation. However, CVSS has significant limitations. A CVSS 9.0 vulnerability on an air-gapped development server poses considerably less risk than a CVSS 6.0 vulnerability on an internet-facing production system.
Effective prioritisation requires multiple frameworks working together. CVSS provides the baseline severity assessment, but it doesn’t indicate whether attackers are actively exploiting a vulnerability. The Exploit Prediction Scoring System (EPSS) predicts the likelihood of exploitation within 30 days based on real-world data. The CISA Known Exploited Vulnerabilities catalogue identifies vulnerabilities being actively exploited in the wild – these should be addressed within 24-48 hours.
Context is equally important. Consider the business impact if a particular device is compromised. Evaluate whether it’s internet-facing or internal-only. Distinguish between theoretical vulnerabilities that exist in code but lack known exploits, and practical vulnerabilities with active exploitation or proof-of-concept code. Focus your immediate efforts on practical vulnerabilities affecting critical, exposed systems.
Bridging the Security-IT Divide
One of the most significant obstacles in vulnerability management is the communication gap between security and IT teams. Security teams often view every vulnerability as urgent, whilst IT teams are already managing substantial operational demands.
IT teams typically receive hundreds of patch requests without clear prioritisation, struggle to understand the business impact of specific vulnerabilities, and lack the context to make informed decisions about patching schedules. They’re also understandably concerned about potentially disrupting production systems with untested patches.
Effective prioritisation addresses these challenges by providing clear, actionable priorities – identifying the top 10 critical vulnerabilities rather than presenting an undifferentiated list of hundreds. It provides business context explaining why each vulnerability matters, quantifies risk in business terms, and sets realistic remediation timelines based on actual risk levels.
Successful vulnerability management requires strong collaboration through regular priority reviews, shared metrics that both teams work towards, joint planning on remediation strategies, and clear escalation procedures for handling critical vulnerabilities. Effective cyber security cannot just be the responsibility of the cyber team.
Metrics That Matter
Traditional vulnerability management metrics often focus on quantity – vulnerabilities found or patches applied – rather than actual risk reduction.
More meaningful metrics include Mean Time to Detect (how quickly new vulnerabilities are identified, ideally within hours), Mean Time to Remediate (how quickly vulnerabilities are fixed once identified – critical ones within 24-48 hours, lower-risk ones during regular maintenance windows), and Vulnerability Churn (tracking whether your vulnerability backlog is increasing or decreasing over time).
Business impact metrics are equally valuable: quantifying risk reduction from remediation efforts, estimating cost avoidance from prevented breaches, tracking compliance progress, and measuring stakeholder satisfaction with your vulnerability management programme.
Why Automation is Essential
Manual vulnerability remediation doesn’t scale. With thousands of new vulnerabilities discovered annually, automation isn’t merely helpful – it’s essential. The key is automating the actual remediation of vulnerabilities, not just their detection, and making sure IT and cyber teams are both accountable and responsible for their resolution.
Start with low-risk, high-confidence fixes: operating system patches, browser updates, and library updates. These can be automated immediately. For higher-risk patches affecting critical systems, implement staged rollouts with automated testing. Build automated dependency management for your applications, and create exception-handling processes for complex cases requiring human intervention.
When automation fails, treat it as a learning opportunity. Conduct root cause analysis, improve your processes, and document lessons learned. The goal is making manual work the exception rather than the rule.
Humans: An Unpatchable Vulnerability Source
Whilst software vulnerabilities can be patched, human vulnerabilities cannot. Social engineering, insider threats, and human error remain substantial security risks.
Technical controls can mitigate these risks: multi-factor authentication reduces the impact of credential theft, privileged access management limits administrative access, browser security protects against password misuse, email security catches sophisticated phishing attempts, endpoint detection and response identifies suspicious activities, and network segmentation limits lateral movement if attackers gain access.
Education and training remain crucial. Regular, engaging security awareness training – beyond annual compliance requirements – helps build a security-conscious culture. Phishing simulations test employees’ ability to identify threats. Role-based training tailored to specific job functions makes security relevant to daily work. Make security awareness an ongoing process rather than a one-time event, and ideally quantify your human risk.
Managing an Expanded Attack Surface
Modern organisations manage vulnerabilities across a much broader attack surface than traditional servers and workstations. Cloud services, IoT and OT devices, network infrastructure, and mobile devices each present unique vulnerability management challenges.
Browsers warrant particular attention. As tools used daily by every employee, they represent prime targets for attackers. Browser vulnerabilities extend beyond software flaws to include weak password management, phishing attacks, malicious extensions, and credential reuse. Addressing these requires real-time multifactor authentication mechanisms, secure password management systems, and education on how best to manage users’ authorisation footprints
Supply chain vulnerabilities also demand attention: third-party vendors with system access, open-source libraries in your codebase, firmware-level issues, and service providers managing critical systems all represent potential security gaps.
Getting Started
Transforming your vulnerability management programme requires a structured approach. Begin with the foundations:
First – make sure everyone is on side and aware of the transformation. Trying to implement proper vulnerability management as just a cyber team, or just an IT team, will not work.
Next, complete an asset inventory (you cannot protect what you don’t know exists), conduct a baseline assessment of your current vulnerability state, and evaluate appropriate tools and training.
Then, implement proper prioritisation using CVSS, EPSS, and KEV together. Map your asset criticality and connectivity. Create clear workflows and communication protocols between security and IT teams.
Then focus on automation for low-risk vulnerabilities, build metrics dashboards for real-time visibility, and continuously refine your processes based on what you learn.
As your programme matures, explore AI and machine learning for enhanced prioritisation, develop predictive capabilities, and remain adaptable as the threat landscape evolves.
Common Pitfalls
Several common mistakes can undermine vulnerability management efforts. Treating vulnerability management as a manual resolution exercise rather than an automation improvement opportunity wastes time and resources – the goal should be automating as much patching as possible, not manually deciding what to fix.
Purchasing tools without a clear strategy puts the cart before the horse; define your issues, your goals and your processes first. Measuring everything without understanding what drives value creates noise rather than insight. Automating bad processes simply makes them fail faster – optimise processes before automating them. This will mean having some awkward conversations – the move tot hink of servers as cattle with a standard patching process, rather than pets that are manually looked after one by one can be a big change!
Looking Ahead
The vulnerability management landscape continues evolving. Zero-trust architecture, DevSecOps integration, cloud-native security, AI-driven threat hunting, and emerging quantum computing threats are and will all shape how organisations approach vulnerability management. Your approach must evolve alongside these changes.
Conclusion
Effective vulnerability management focuses on automating as much patching as possible and using vulnerability data to identify gaps in your automation strategy. By building comprehensive automation, leveraging intelligent prioritisation to spot what’s missing, fostering strong partnerships between security and IT teams, and measuring meaningful metrics, organisations can transform vulnerability management from a reactive burden into a strategic capability.
This is an ongoing journey rather than a destination. The threat landscape constantly evolves, and your vulnerability management approach must evolve with it. The tools and frameworks exist – the question is whether your organisation will use them to automate effectively. Those that do will find vulnerability management provides not just better security, but a genuine competitive advantage.