Many organizations use vulnerability assessment software to scan their network for potential weakness. At first blush, the idea is attractive: Just click the Start button in the software's UI and wait for the report that tells you where you aren't secure. But the reality of vulnerability assessment is less pretty. Although you might want concise information that requires little human intervention and analysis, what you actually get is a mountain of marginally comprehensible data. To make matters worse, the typical complexity of corporate networks combined with the relative immaturity of vulnerability assessment software means that the completeness and accuracy of assessment reports leave something to be desired. But these caveats aside, when vulnerability assessments are implemented properly, few IT security investments provide better ROI. The real return lies not in assessing a network for vulnerabilities but rather in assessing an IT organization's ability to protect the network.

In a scenario that's all too common, an administrator chooses a vulnerability assessment tool, runs it on the network, and then, after seeing the report listing thousands of vulnerabilities, shows the results to management, inciting fear, uncertainty, and doubt (FUD). From management's standpoint, a vulnerability assessment report raises several questions, such as "If we fix all of these problems, what's to prevent them from happening again in the future?" and "Is this an acceptable level of vulnerability? If not, what is an acceptable level?" Because a vulnerability assessment represents only a picture taken at a specific point in time, the tendency is to make business decisions in reaction to the results. The key to making vulnerability assessment work for your organization is to focus on the programmatic aspects of vulnerability assessment from the start.

To that end, creating a successful vulnerability assessment project requires organization. To simplify the assessment process, break the project into four phases:

  • Plan the project.
  • Assess the network.
  • Prepare the results.
  • Report the findings.

Phase 1: Plan the Project
During the planning phase, you identify and set goals for the assessment project, identify the systems you want to assess, create the project timeline, and assign project roles and responsibilities. Remember that completing a vulnerability assessment only once confers little benefit: When creating your timeline, be sure to schedule at least three passes. The first two assessments establish a baseline against which you can compare the third.

As I mentioned, the ROI in a vulnerability assessment lies in its ability to measure how well your IT staff protects your network. Because vulnerability assessment is software-driven, its data is objective and easily quantified. These qualities make a vulnerability assessment an excellent tool with which to measure improvement.

For example, you can scan a set of target systems the first week of each of three consecutive months, each time providing a list of the vulnerabilities you're scanning for and proposing remediation to the IT staff responsible for managing those systems. Between-scan metrics such as the percentage of hosts that remain vulnerable, number of hosts with new vulnerabilities, and percentage of hosts in compliance with baseline security and patch updates are excellent measures of your IT staff's effectiveness. If you run the same set of scans on various business units, you'll have a basis for comparing the policies, processes, and people in those business units. Over the long term, data from vulnerability assessments can be valuable information to consider when you need to justify compensation adjustments and promotions for IT administrators and managers.

To ensure that the results of your assessment project are open to objective analysis, you need to create a project scope that is as precise as possible. Include the target systems, the vulnerabilities being assessed, and when the assessment scanning will take place. Figure 1 shows what a typical project scope might look like.

Phase 2: Assess the Network
This phase begins with your selection of the vulnerability assessment tool you'll use to detect the vulnerabilities that you identified in the planning phase. After you have your toolset in hand and have verified that it can meet your needs, you can begin scanning your target systems.

Phase 3: Prepare the Results
Before you present the assessment results, you'll need to translate the raw data into a more useful and readable form. At a minimum, add suggested remediation strategies to the assessment data for each of the vulnerabilities that your scope identifies. Doing so accelerates your IT organization's ability to resolve the vulnerabilities in a timely manner. Remember that, from management's viewpoint, empowering your IT staff to improve security has much more value than simply identifying problems

Figure 2 gives an example of how you might prepare your findings. For a more in-depth report, you could rate the risk that each vulnerability presents. Adding such information will help your IT staff prioritize its efforts should you find a significant number of vulnerabilities. A thorough report also gives management a more informed basis for comparing results between business units.

Phase 4: Report the Findings
When you present your findings, be sure to highlight both how the IT staff remediated the vulnerabilities that the assessment discovered and how the staff's performance improved between assessment passes. This information will help drive discussion about which processes and strategies worked well and which processes and strategies can be improved, in addition to the more basic discussion about vulnerabilities.

The Net Impact
From a management perspective, a properly constructed and executed vulnerability assessment project can yield enormous insight into an IT organization's ability to manage and secure the network. In the long run, the strategic nature of this ROI will greatly outweigh the return that a tactical discovery of vulnerabilities will.