Defense in Depth: Vulnerability Management

So many breaches happen through ports of known vulnerabilities. What is the organizational vulnerability in vulnerability management?


Check out this post and discussion and this one for the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX), CISO at Mitel. Our guest is Justin Berman (@justinmberman), CISO for Zenefits.

Got feedback? Join the conversation on LinkedIn.

Thanks to this week’s podcast sponsor, Vulcan Cyber

Vulcan’s vulnerability response automation platform allows enterprises to automate their TVM programs. Vulcan integrates to existing IT DevOps and security tools to fuse enterprise data with propriety intelligence which allows to accurately and subjectively priorities and remediate vulnerabilities – either using a patch workaround or compensating control.

On this episode of Defense in Depth, you’ll learn:

  • As the CIS 20 concurs, vulnerability management is the first security measure you should take right after asset inventory.
  • Vulnerability management needs to be everyone’s issue and managed by all departments.
  • Lots of discussion around vulnerability management being driven by culture which is a very hard concept to define. To get a “vulnerability management culture” look to a combination of awareness and risk management.
  • Vulnerabilities don’t get patched and managed without someone taking on ownership. Without that, people are just talking and not doing.
  • Increased visibility across the life cycle of a vulnerability will allow all departments to see the associated risk.
  • Who are the risk owners? Once you can answer that question you’ll be able to assign accountability and responsibility.

Defense in Depth

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.