- My cat loves this automatic wet food feeder, and it's on sale
- Certified and Unstoppable: Recertify with Rev Up
- Walmart's drone delivery spreads its wings to 100 more stores - is yours one?
- Meta Ray-Bans for 20% off is a great deal on one of my favorite products
- Control content chaos without compromising security
Seven Steps to Building a Mature Vulnerability Management Program
For the past two years, cybersecurity teams have been facing an explosion of publicly reported vulnerabilities in software and hardware products, making it increasingly challenging to prioritize patch management.
Speaking at Infosecurity Europe 2025, Jon Ridyard, Senior Sales Engineer at Axonius, proposed seven best practices for building mature vulnerability management processes and avoiding burnout.
1. Process: Incorporate CTEM Concepts
According to Ridyard, vulnerability management should not be seen as a program, as it would imply closure with an end date when the program’s goals have been met.
Instead, he emphasized the importance of integrating aspects of continuous threat exposure monitoring (CTEM) into vulnerability management processes.
This means that vulnerability management teams must ensure a continuous process, regularly evaluated with breach simulation, attack path analysis and automated testing.
“They shouldn’t only react to ‘celebrity’ common vulnerabilities and exposures (CVEs) or one-off siloed events, after scanning, for instance,” Ridyard explained.
2. Prioritization: Go Beyond the Technical Score
While useful for vulnerability managers, Ridyard said that technical scores, such as the Common Vulnerability Scoring System (CVSS), are flawed because they lack context.
“A CVSS score does not understand your state of security, it does not account for risk vectors specific to your business and it does not know what your crown jewels are,” said the sales engineer. “Also, technical scores are difficult to communicate with your stakeholders,” he added.
He recommended developing a company-specific vulnerability and patch management matrix with different levels of risk prioritization (e.g. urgent, high, medium, low, exempted) depending on three categories of data:
- Security context: CVE entry and CVSS score
- Asset context, including considerations like production environment (on-premise, on endpoint, in cloud environment…), status of endpoint protection and status of public exploitation
- Business context, to consider the broader business impact of a potential exploitation
3. Offload Triage: Automate Steps Before Mobilization
Once practitioners have established a matrix to rely on for remediation, they still need to triage the detected vulnerabilities and prioritize them.
To make this process easier, Ridyard recommended using a combination of manual triaging methods and automation, which can be used to gather what he called “obvious information about the vulnerabilities.” This can include the CVE identifier, if applicable, as well as the CVSS and Exploit Prediction Scoring System (EPSS) scores.
4. Remediation: Add Logic to Automate Resolution
Similarly, Ridyard suggested automating some aspects of the remediation process, including fixing vulnerabilities and applying compensatory or mitigating controls.
“Remediation is not an analog switch: create logic to decide for and pull the trigger when automation is possible,” he added.
5. Mobilization: Formalize and Gamify Collaboration
As vulnerability management can involve people across different teams within an organization, Ridyard advocated for formalizing collaboration and establishing clear rules of who is responsible for what.
He suggested trying gamifying patch management, in the form of a friendly competition, for instance, as a good way to incentivize collaboration. “By doing this, you will turn a chore – vulnerability remediation – into a fun activity,” he explained.
6. Metrics: Set and Communicate Expectations
Another key element to establish for a healthy vulnerability management process is setting up
expectations – in the form of protection level agreements (PLAs) – with the board and the overall business, based on the budget allocated to the security team.
“For instance, if I were given a $10,000 budget to agree to patch vulnerabilities in a certain category within seven days, taking any longer will mean I failed to meet the PLA, and I can be liable if something bad happens because of this,” Ridyard said.
7. Wellbeing: Empower and Entertain Your Security Practitioners
Finally, Ridyard emphasized the need to empower security team members so that they feel they are doing meaningful work.
“Be proactive and encourage creativity,” he concluded.
