As is the case for any high performing team, the talent and experience of your personnel is paramount to delivering successful outcomes. Although there’s no one-size-fits-all solution, we have shared the certifications, experiences, and traits that we believe are important to consider when building an effective vulnerability management team.
What does your team need to know to run a successful vulnerability management program?
First and foremost, your team need to have a clear understanding of an organization’s IT estate. This includes the traditional elements of an estate, such as servers and endpoints, as well as new and emerging IT technologies. Examples of this include cloud platforms, micro-services, and APIs. An awareness of how these systems depend on each other to perform their function is also needed.
Vulnerability management teams also need to understand the role and importance of individual assets with respect to your organization’s business objectives. For an ecommerce business, priority-assets could be webservers, IP ranges, and payment integrations, as downtime could result in lost revenue and reputational damage. Ensuring your team can accurately carry out asset-based prioritization is key to running a successful, effective program.
An asset’s business and technical owners also need to be clearly documented. This will streamline collaboration and ensure your team can take action as quickly as possible when a particular asset is vulnerable.
What training and experience sets you up to run a good programme?
- Tool-specific certifications and training: Platforms like Tenable, Qualys, and Rapid 7 offer their own training programs. These certifications help ensure your personnel can get the most out of the tools, as well as understand how they interact with other platforms, and the role they play within the vulnerability management ecosystem.
- Associated technology certifications and training: Both business IT assets and the vulnerability management tools themselves often rely on other infrastructure. Ensuring your team have a thorough understanding of these technologies is of huge benefit. This could include gaining certifications for Azure, AWS, Google, and VMWare.
- Industry certifications and training: There are a number of other non-vendor specific certifications that teach important concepts about IT infrastructure and cyber security, including:
- CompTIA (The Computing Technology Industry Association) – professional certifications for the IT industry
- CREST – UK-based certifications that demonstrate a high calibre across a range of cyber security disciplines
- SANS – US-based certifications and training for IT and cyber security professionals
When hiring new talent for our Managed Vulnerability Scanning team, there are several traits that Rootshell’s Director of Managed Services pays particular attention to.
The first is curiosity. The nature of vulnerability scanning, in terms of analysing data and making recommendations, requires looking beyond the surface of results and digging into the problems.
The second is strong communication skills. IT security professionals need to be able to translate technical, complex concepts into simple terms, and clearly articulate risk and its associated impact to senior stakeholders.
Finally, attention to detail is essential to cyber security. Particularly in vulnerability management, the consequences of failing to identify a critical vulnerability could be disastrous.
Other Useful Experience
Although not essential, there are a number of other skills and abilities that are highly beneficial to vulnerability management teams, including:
- Penetration testing: Pen testers have first-hand experience of how vulnerabilities can be exploited by threat actors, helping your team gain a deeper understanding of the potential risk and impact of issues.
- Infrastructure design: Experience in infrastructure design provides deep insight into how an IT estate fits together. From a security perspective, this is important to evaluating vulnerability exposure.
- Network analysis and troubleshooting: An understanding of network operations, as well as how network-related issues can be resolved, provides an additional layer of analysis when evaluating the severity of a vulnerability.
- Log analysis: The ability to make sense of computer-generated records, also known as log files, provides a greater understanding of how an organization’s IT infrastructure operates.
Good people are key to the success of vulnerability management programs. Ensuring you can identify the varied range of skills required for success, as well as providing training opportunities to continuously evolve your team, will ensure your vulnerability management program can be executed as effectively as possible. You can also read more about the processes behind a highly successful program.