Wouldn’t it be great if you could hit the gym one time and find yourself back at your college weight? Unfortunately, permanent weight loss and fitness doesn’t work this way; and neither does IT security.
A vulnerability assessment is an important first step to improving IT security, but no one ever got far with just one step. The vulnerability assessment (VA) is a great snapshot, but it needs to become part of an ongoing process in order to successfully eliminate security gaps.
Related post: The Difference Between Vulnerability Assessments and Vulnerability Management
A vulnerability assessment has a start date and an end date, but it should be part of an ongoing approach to securing your IT assets. Once you identify, quantify and prioritize your strengths and weaknesses through your VA, your work is only beginning. From there, you need to create a plan to prioritize and mitigate the risks you found. This is where vulnerability assessment dictates the recommendations and goals of a vulnerability management program.
You’ll want to perform VAs on a regular basis, either annually or semi-annually, or during milestone moments like adding systems through acquisition or other significant changes in the IT infrastructure. For example, if you’re designing or developing a new IT system, upgrading your infrastructure or applications, or reporting compliance, these are moments when a VA makes sense. Each time you run a VA, you’ll get the latest vulnerability information on your assets, the vulnerabilities that can potentially threaten them and indicators to strengthen your defenses.
So, if you need to have regular VAs in order to close security gaps, can you opt for an automated tool and perform assessments yourself? Maybe…but you’ll pay a bigger price in the end. VAs deliver reams of data. Some of it might indicate the need for a simple patch, and some of it might indicate a serious problem that requires server hardening, network reconfiguration or other in-depth responses. Having an expert on hand to help you identify the difference is essential.
Before you engage with a vendor, make sure you know what you’ll get. You’ll want someone who will sit down across from you after the assessment, explain the resulting report and recommend a roadmap to remedy security gaps – then do it all again when it’s time for your next VA.
Find out more about making VAs part of your ongoing IT security regimen. Download our free e-book, “Vulnerability Assessments: Gauging the Health of your Security Program.”
