Don't [You] Forget About [Me]... (or Forgotten Components of a Vulnerability Management Program)

Often when standing up a vulnerability management program, people think that it is fairly simple and purely technological in nature. “You just buy and deploy a solution from one of the big three VM vendors, add some IP address ranges or asset lists, run some scans, looking over the results, and cut remediation tickets. Maybe some follow-ups. Piece of cake.” Sounds simple, right? Well, that’s certainly part of it, it’s not all of it. Many times, equally important components, such as Governance, Reporting, and Prioritization get overlooked or forgotten entirely. In this talk, we will discuss some often overlooked, but still critical, components of an effective vulnerability management program.