How to talk vulnerability management with the C-suite – and make them care

Promo When you’re running security, it can be hard not to feel you’re slogging away in the trenches, saving your organisation on a daily basis, but getting precious little in the way of recognition and even less in terms of budget.

Yes, you know vulnerability management is not just important, but crucial to the health of your organisation. But do you ever get the feeling when you’re explaining this to non-techie folks that they might as well be looking at that waterfall of 1 and 0s that Hollywood defaults to when something computery is going on?

It’s all too easy to think that no one gets what you do, why you do it, or what it means.

But you’d be mistaken. Rapid7 wants you to know that with its InsightVM solution, you not only understand how to track and manage vulnerabilities and assess risks right across your infrastructure, you also understand how to get the rest of the organisation to grasp the importance of your team’s efforts to the success of the organisation as a whole.

In fact, the good folks at Rapid7 have produced a small but perfectly formed ebook to explain the “4 Steps to Prove the Value of Your Vulnerability Management Program” and you can download it right now.

As Rapid7 says, “operational metrics alone can’t prove value or efficiency, but they can be building blocks for more meaningful analysis.” And that’s what will make the rest of the organisation sit up and take notice.

So working with InsightVM means that not only can you, for example, cut detection and remediation times, but using its Goals and SLA tooling, you can demonstrate progress and business impact to the rest of the organisation, including the C suite in terms they understand.

Essential to this, as the ebook explains, is aligning your key risk indicators with the company’s key performance indicators.

Does security have anything to do with marketing and PR? Think about how remediating “celebrity vulns” helps head off the wrong sort of news. Is sales productivity important? Imagine how much more productive the sales force could be once you’ve identified and removed obsolete platforms. (Yes Windows 7, we’re looking at you).

The aim is to prove the value and ROI of your vulnerability management program and be “recognized and celebrated for your team’s contribution to the business.” Who wouldn’t want that?

As one user cited in the book explains, “When you aren’t part of the business play, you are just another cost center.”

So while Rapid7 can’t unequivocally promise you’ll get the respect of your peers, more budget for your team, and a nice raise for yourself, it’ll certainly help you make a much better case for all the above. Want to read more? Head here.