Vulnerability Management Roles and Responsibilities
June 11, 2018
Now that we’ve covered the basic process of vulnerability management, it’s time to consider the human element.
After all, no matter how good your processes are, they’ll still fail if you don’t have the right people involved.
Even more than most business processes, vulnerability management lives and dies on the quality of working relationships between certain key players…
So let’s find out who they are.
Meet The Cast
In order to pull off your world-class vulnerability management process, you’re going to need:
A Security Officer – As far as your organization is concerned, this person is the king (or queen) of vulnerability management.
The security officer will design, own, oversee, and regulate your vulnerability management process. They’ll ensure the process is doing as intended, that it’s being adhered to, and that each member of the team is performing well.
They’ll also usually be responsible for reporting. They may not (and probably won’t) run the reports themselves, but they should be the ‘face’ of vulnerability management throughout the organization. Most importantly, the security officer should periodically brief the executive team.
Finally, the security officer will routinely meet with representatives from each area of the organization to ensure everybody is receiving the support they need.
Clearly this is not a throwaway position and shouldn’t be handed out purely based on ‘who has the capacity’. A poorly designed and regulated vulnerability management process is barely worth having at all.
Ideally, your security officer post will be a full-time position, but this will, of course, depend on the size of your organization… Small companies are often unable to make this level of investment.
Either way, the post-holder should be reasonably literate in the technical side of vulnerability management, an excellent communicator, and be able to present and explain reports to a wide range of audiences.
If you really can’t have a full-time post dedicated to this position, a technical IT project manager would be a reasonable substitute.
A Vulnerability Engineer – Realistically, unless you’re working for a very large organization, this is going to be a role attributed to an existing ‘techie’.
I would, however, caution that it should be given to a single person and not shared between a group.
Why? Because this is a task that requires significant attention to detail, and things are inevitably missed when tasks are handed off to people who aren’t intimately familiar with them.
And when it comes to vulnerability management, you really don’t want to miss something.
Essentially, the role of the vulnerability engineer is to configure your vulnerability scanner and schedule the scans. An intricate knowledge of your IT environment, vulnerability scanning tool, and common attack routes is essential.
Unsurprisingly, the engineer will also need to be able to work with other members of the vulnerability management team to ensure each vulnerability is assessed and suitably accepted or remediated.
Asset Owner(s) – Although not technically a part of the vulnerability management team, these people are going to be intimately involved in the process.
An asset owner is anybody within your organization who takes ultimate responsibility for an asset, whether that’s a server, a software suite, or even just a database. If it’s connected to your network, and it could potentially be exploited, you need to know who owns it.
Once a vulnerability is identified, the owner of the asset affected must be involved in the process of prioritizing and remediating (or accepting) that risk. It is worth noting, however, that not everybody will fully understand the significance of a vulnerability and may feel it isn’t worth their time.
When you first implement a vulnerability management process, you’ll probably need to embark on a regime of educating asset owners on what you’re trying to do. You need to have engagement from every asset owner if you expect to develop an effective vulnerability management process.
Of course, gaining this buy-in from asset owners falls to the security officer, which further demonstrates how important the role really is.
IT Systems Engineers – The role of IT systems engineers is simple: They implement (and test) the agreed upon remediating actions.
It’s highly unlikely that this will be a single person, purely because it would be such a mammoth task for an individual.
There is a huge element of testing inherent to the role. All remediating actions should first be applied to a test environment, and rescanned to ensure they have worked as intended. Assuming that goes to plan, the remediating actions must be tested again once applied to your live environment.
Your IT systems engineers should also have a rollback plan, just in case the remediation process has any unforeseen negative consequences.
This role usually falls to the team responsible for scheduled maintenance and your testing environment. They’re already maintaining the systems inherent to quality vulnerability management, so it only makes sense.
You may, of course, need to enlarge the team in order to account for the additional workload.
Communication, Communication, Communication
If there’s one thing that’s important when building your vulnerability management team, it’s communication.
Without it, you’ll have poor risk prioritization, no buy-in from asset managers, frustrated techies, and an executive team who aren’t really sure what you’re doing or why.
Remember what I said right back in the first article of this series?
The biggest challenge with vulnerability management is not one of difficulty, but of culture. Your organization must be educated, informed, and coordinated in a bid to reduce the level of business risk.
And that’s why, when it comes to it, there is one member of the team who is undoubtedly the most important: The security officer.
If you can appoint a superstar security officer, he or she will infect the rest of the team with their enthusiasm. They’ll find and inspire the best techies, engage even the most hardheaded asset owners, and be the darling of your executive team.
Most importantly, they’ll keep communication channels open throughout your organization, and that really is the secret to effective, consistent vulnerability management.
So if you only get one thing right, make sure it’s appointing the right security officer.
Lacking In-House Security Expertise? Fear Not
In some organizations, particularly small ones, it is possible that an individual will take on more than one of the roles we’ve discussed. This can be effective under the right circumstances, but requires that roles and processes are clearly identified and adhered to.
If your organization doesn’t have a dedicated team, information security and compliance tools (such as TraceCSO) offer a solution. Through a variety of scanning and related functions, these tools help simplify vulnerability management substantially for organizations lacking in-house security expertise.
Check out other posts in this series:
Post 1: The Minimalist Guide to Vulnerability Management
Post 2: Vulnerability Management Research: How to Invest Your Resources for Maximum Results
Post 3: How to Approach Vulnerability Management: The View from 10,000 Feet
Post 5: The 10 Step Checklist for Pain-Free Vulnerability Management
Post 6: 5 Common Vulnerability Management Mistakes... and How to Avoid Them