Vulnerability Management Maturity Models: Analyzed

I looked around for the model that was originally shown on Security Weekly, but I was never able to find it. That’s unfortunate, because it looked useful. They never specifically mention it but I think their model was base off the Gartner┬ámaturity model for a endpoint security, which looks like this:


That was blatantly stolen from Tripwire (click the picture for the article) who lifted it from a SANS presentation, and it pretty clearly shows that it isn’t all improvements. Things level off, or can even begin to degrade, as you gain more information about your environment. More information means that you have to begin to really manage the information rather than just react to scan data, or whatever the data may be. It’s a key point that these models address in different ways. And there is no “best” model. Each organization must choose a model suited for them, and them change that model up, customize it. These are just a platform to start from in building a way ahead for your own organization.

My favorite model that I reviewed was the Core Security model. That graphic alone is a winner, I can take that graphic and give it to my boss and he will immediately understand what it means. I can tell him where we are on the curve, and it will make sense. More importantly, our challenges will make sense and there is a clear way ahead. It addresses the problem of information overload directly and gives clear indications of how to move past that to effectively manage your environment. When I first read about this idea of a model to gauge your vulnerability management program, this is pretty much what I was hoping to find.

That doesn’t mean it is a complete solution, but as I said, nothing is. The key is adapting this model to your organization in such a way that it keeps the key features without losing what makes it effective. That is a project I’m working on now. I won’t (can’t, they would never let me) share the results but it wouldn’t matter to anyone else I don’t think. My results will be specific to my own experience and to making the gains that I need to make within the constraints that I know I have. Each organization can, and should, look at themselves through the lens of one of these models and see what they can change.

I’m giving a talk about this next week at NovaHackers. It will be my first ever talk there (or meeting attended) and I will try not to bore everyone to death with this, but I actually enjoy writing and thinking about it. It’s easy to nerd out over charts and graphs so I will keep it simple. Taking the CEH on Wednesday, not worried about passing it, only if I fail then I’ll ┬ábe a laughing stock and it’s 700 bucks down the drain. No pressure. Next week… I am not sure what I’m going to write about.