It's beginning to look like the rate of vulnerabilities is outpacing the ability to fix them. The work required to keep up with security and compliance tasks--patching, deploying controls, etc.--is growing faster than the IT department's resources.

Ed Bellis, CISO for Orbitz, shares his thoughts on today's typical vulnerability management approach, which he says often consists of more vulnerability than management. In a post at CSO Online, he offers up his own experience in how to get a better handle on dealing with your company's risks.

Before vulnerabilities can be effectively managed, organizations first need to identify the categories of risks that are taking up resources. This, Bellis says, is not difficult because there should be more than enough data available. At Orbitz, Bellis was able to categorize vulnerabilities under groups such as custom applications, off-the-shelf applications, database and network, among others.

"Many security practitioners complain about not having enough data to make these decisions. I argue we will never have a complete set but we already have enough to make smarter choices. By mining this data, we should be able to create a much better profile of our security risks," Bellis writes

The vulnerability data that you collect can be combined with other sources--such as breach statistics reports and other threat data that pertain to your business--to figure out which are the most critical risks. Then you can determine different ways to mitigate the risks, including using custom code, changing configurations or disabling services.

"Taking a holistic view of the data including a threat-based approach will result in a much more efficient remediation process while fixing the issues that matter most," Bellis writes.

For more:
- see Ed Bellis' post at CSO Online

Related Articles:
11 hidden security threats
Making security legally defensible
Data breach laws, e-discovery increase compliance duties