Vulnerability management is the practice of identifying and mitigating the weaknesses in an organization’s people, processes, and technology. It’s a practical, down-to-earth approach that focuses on small things, but it has the power to bring big gains to an organization’s resilience.
Related on MHA Consulting: Single Points of Failure: Protecting Yourself from Hanging by a Thread
Every now and then MHA gets hired to conduct a vulnerability assessment, where we’ll survey the landscape of an organization’s people, processes, technology, and facilities looking for its greatest and potentially most impactful weaknesses. Then we work with the client on devising a plan to mitigate those weaknesses—and do all we can to get them to follow through on the plan (otherwise, what’s the point?).
I like doing vulnerability assessments. They are very straightforward and can lead to big gains in resilience at relatively modest effort and expense.
One thing that’s tricky about doing them is that most department heads are reluctant to “open the kimono” for fear of being singled out and blamed. I’ll say more about that in a moment.
Defining Vulnerability Management
Some people only apply the term vulnerability management to the process of identifying and mitigating weaknesses in computer systems, software, and networks. I think vulnerability management is bigger than that. For us, it’s about managing weak spots across the entirety of the organization’s operations, staff, technology, and facilities.
In fact, the place where we’ve recently been seeing the most serious gaps with our clients is in their people—namely people who constitute single points of failure (SPOFs) at the organization. These folks are the only ones there who know how to conduct certain mission-critical functions. If they were to get sick, take another job, or whatever, their organization would be up the creek without a paddle.
Identifying and mitigating such situations is what vulnerability management is all about.
Vulnerability Management and Risk Management
How does vulnerability management relate to risk management? Vulnerability management is a component of risk management. Risk management is the overall program. Vulnerability is specific to pieces and parts.
The cool thing about vulnerability management is, if you do it properly, you might never need to use your business continuity plans. By making such small corrections as making sure everyone is using the right security controls and installing backup power sources in key buildings, you minimize the potential of ever having to activate your plans.
How to Implement Vulnerability Management
How does an organization “do” vulnerability management? Let’s start by saying how not to do it. We recommend that you not announce, “Hey, everybody, we’re going to do an enterprise vulnerability assessment.” It’s too big of a job, one almost guaranteed to result in failure. Do the work in pieces, especially if it’s your first time. Start small. Start with your buildings. Do a vulnerability assessment of them. Look at your building control systems, your physical access. When you’ve got that sorted out, then move on to your data center, your technology, or your people. Segment the work in a way that’s reasonable and practical.
The other key thing is follow-through. So many times we see organizations do a good job of identifying their vulnerabilities then drop the ball when it comes to mitigating them. Don’t be that guy. Don’t be that organization. Mitigation is where it’s at. After you’ve identified your weak areas, strengthen them.
Two more points: If you’re new at this, it’s not a bad idea to get help. As I say, MHA has a lot of experience doing vulnerability assessments. So do other consultancies. Experience makes a big difference both in terms of expertise and diplomacy.
And finally, getting back to the issue of reluctant subjects. People do get testy when you do vulnerability assessments. They see it as pointing fingers. People are terrified that if you find a lot of vulnerabilities in their area they might be held accountable. This is perhaps another good reason to consider bringing in an outside expert. Sometimes an objective person from outside the organization is better able to focus on what needs to be called out and fixed in order to increase resiliency long term. And that way everybody can put the blame on them for any feathers that get ruffled. We won’t mind, we’re used to it.
Protecting Operations, Boosting Resilience
Vulnerability management is a vital practice for enhancing organizational resilience by identifying and mitigating weaknesses in people, processes, and technology. To effectively implement vulnerability management, organizations should start small, focusing on specific areas such as buildings or key functions, and ensure follow-through in strengthening identified weaknesses.
Seeking external expertise and fostering a blame-free environment can further enhance the effectiveness of vulnerability assessments and mitigation efforts. Ultimately, vulnerability management empowers organizations to proactively protect their operations, adapt to challenges, and build a culture of continuous improvement.
For more information on vulnerability management and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting:
- Driving Blind: The Problem with Skipping the Threat and Risk Assessment
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- Single Points of Failure: Protecting Yourself from Hanging by a Thread
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Risk Mitigation: The Four Types
- The Risk Management Process: Manage Uncertainty, Then Repeat