Vulnerability Management: The CIO’s Other Job

CIOs Will Get The Blame If They Don't Do A Good Job Of Vulnerability Management

The role of a CIO is to find ways to apply IT to enable the rest of the company to grow quicker, move faster, and do more. As part of this task a CIO needs to take steps to ensure that nothing happens that would prevent this from happening. This side of the job is not nearly as glamorous; however, it is at least as critical. What can a CIO do to ensure that

nothing bad happens

to a firm’s IT systems?

The Job Of Vulnerability Management

The first step in ensuring that a firm’s IT systems continue to allow the company to move forward is to come to terms with the real world. This means that CIOs need to acknowledge that the world can be

an ugly place

and there will always be outsiders

who want to do harm to your firm

. The person in the firm who will be most interested in what is being done to defend against attacks on IT systems will be the


. When discussing vulnerability management with the CFO, the CIO needs to explain that at its heart it’s really just the principles involved in

risk management

combined with

practical logic

and an understanding of

business value

for the firm.

How To Do Vulnerability Management

Although a CIO won’t actually perform the process of Vulnerability Management, he /she is responsible for ensuring that the program is

set up correctly

. This means that the three key components of a Vulnerability Management program need to be put in place:

  • Data Collection Needs To Be Integrated: Attacks on your IT systems rarely show up all at once. Instead, there is a sequence of minor events that occur as your defenses are probed looking for weaknesses. Having all of your data on system configurations, patch status, and access management polices in one place is a critical part of providing you with the ability to identify issues and respond proactively.
  • Prioritize Based On Business Value: Look, we are all busy and have too little time and budget to begin with. If you understand the value of each IT system, then you can allocate resources appropriately. Not all events require a full blown response – low value systems can be monitored further. Defenses for such can be augmented on your schedule as opposed to on an emergency schedule.
  • Improve, Improve, Improve: Vulnerability management is not something that can be done once and then forgotten about. The world is constantly changing and your program will need to be constantly being refined to adapt to new threats.

Final Thoughts

A CIO can do a great job of empowering the rest of the company to accomplish wonderful things; however, if the firm’s IT systems are compromised then all of the good that he/she has done will be

forgotten in a flash

. A well executed vulnerability management program provides a way to defend the firm against a cruel world. CIOs who follow the three steps that we’ve discussed will have

found a way

to apply IT to enable the rest of the company to grow quicker, move faster, and do more.

Questions For You

Does your firm currently have a vulnerability management program? Have you taken the time to assign a business value to each of your IT assets or does everything have the same value? Do you constantly refine your vulnerability management program based on changes in you IT systems and the direction of your business? Leave me a comment and let me know what you are thinking.

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

What We’ll Be Talking About Next Time

What does it take to do a really good job of securing your company’s systems and data? Is it just a matter of picking and implementing the right software or hardware solution? Is there a consulting firm that you can pay millions to who will come in and take care of this problem once and for all? Bad news – the answer is no