Core Security’s Vulnerability Management Maturity Model

Core Security’s model is more robust and detailed than the previous one. They drafted this model based on client issues they had in the past, and modeled it based on the evolution of a security program. They’ve built in milestones and more steps to help organizations define where they are on the roadmap, although are quick to say that this does not imply that all organizations should ideally be at level five of their model.

The model is broken into six total levels, starting from level zero. The levels are further grouped into three pairings that describe the overall status of these levels, and significant indicators are given at the boundary between these groups as to what crossing into the next group means. Let’s deal with the three groups first. They are:

  • Blissful Ignorance
  • Awareness and Early Maturity
  • Business Risk and Context

Blissful Ignorance is the first two levels, where an organization does not have the full scope of threats to the enterprise, or possibly even the scope of the enterprise itself. The boundary that crosses from this group to the next is titled Peak Data Overload, and is meant to describe the problem organizations have of implementing tools that provide information without having the tools to put that data in context and glean insight from it. Once into the Awareness and Early Maturity group, that context, gained through new tools and processes, builds and allows the organization to be effective with their data more and more. The boundary that crosses into the next group from here is named Effective Prioritization, which really just describes the implementation of risk management within the enterprise using the given data. The last group is Business Risk and Context, and it is at this point that we’re truly talking about a mature program that is not just addressing risks, but incorporating the true business impact of those risks.


This layout makes it easy to navigate, is quite broad strokes, what the true meaning of the specific levels is going to be without delving deeply into any of them. You know immediately based on the group where an organization is with data analysis and can probably make some educated guesses about the status of their tool implementations. But the groups are further divided into level, which are:

  • Level 0: Non-Existent
  • Level 1: Scanning
  • Level 2: Assessment and Compliance
  • Level 3: Analysis and Prioritization
  • Level 4: Attack Management
  • Level 5: Business-Risk Management

Level 0 is exactly what it sounds like. No program, minimal controls, no mitigation strategies. Level 1 introduces scanning on some level and some amount of mitigation based on those scans, but no consistent plan for either. Level 2 is where the program actually starts to coalesce, with scheduled scanning driven specifically by some sort of compliance framework and a plan for mitigation. Level 3 begins to get into real risk management, beginning the process of prioritization and trending. Level 4 shifts the focus, assumes that the processes for scans and patching have become mature enough to handle that switch in focus, and starts looking at actual threats and attackers. The last step, Level 5, integrates with business processes and looks very much like the continuous monitoring cycle that is often talked about.

This model has a lot of great information in it, and overall I like how it is organized. It is easy to read and most people can look at this and without much analysis guess where they are going to fall in the model, and probably be correct. I like that Core Security is very blunt on the state of most programs, stating that they will mostly fall somewhere between levels 1 and 2, and that they offer several specific measures to help organizations grow within the context of the model. Core Security focuses on operational context in their proposed solutions, extending vulnerability management into other tools and security realms so that it is truly integrated into the business.

On the negative side, the model is not a fit for every organization. It is more specific, which is good for implementation but that specificity can limit the ability of an organization to grow within the model. Especially smaller organizations will have trouble adopting some of the prescribed measures that would be quite costly or resource intensive. Core Security does point out that the objective for every organization will not necessarily be to progress continuously to the end as a “goal”, but that undercuts some aspects of the usefulness of the model as well.

Overall, Core Security’s model is a very strong and very detailed one. The fact that I can immediately look at it and tell where my organization is and where our higher headquarters is, that is pretty amazing for any model. Core Security focuses on the problem that most people have, which is too much data and not knowing what to do with it. Next week, assuming I’m not late again, I will be looking at the VM3 model from Digital Defense Incorporated.


Related links:

The Threat and Vulnerability Management Maturity Model