Growing Up: A Maturity Model and Roadmap for Vulnerability Management presented at SourceBoston 2015

by Eric W. Cowperthwaite,

Summary : There are differences between each of the high-profile hacks you’ve seen in recent headlines, but there are also a few consistent characteristics of the modern breach. Inevitably, we discover known software vulnerabilities were left unpatched, networks were exposed and critical assets were open to attack. This pattern is repeating itself because – across industries and sectors – threat and vulnerability management (TVM) programs are operating far below their potential, and most leaders don’t know how to take their programs to “the next level.”
That’s why Eric and the team at Core Security created the five-level Threat and Vulnerability Management Maturity Model. It uses a traditional Carnegie Mellon Maturity Model to illustrate the continuum of capability that an organization can implement. This is a significant departure from the current approach to vulnerability management, which essentially calls for implementing a vulnerability assessment product, establishing a few basic measurements to prioritize patch management and few, if any, means of measuring the efficacy of the program. In fact, today’s typical TVM program will be somewhere around level one or two in this Maturity Model.
During this session Eric will outline the five levels, and attendees will be able to easily identify where their respective organizations stand on the Maturity Model. He will also review the specific steps necessary to advance through each level, ensuring attendees leave with clear action items for maturing their TVM programs.