Compliance is critical, necessary and not evil. Every organization wants to meet the compliance requirements and doing risk assessments, vulnerability management are key to achieve critical requirements.
Most of the times the organizations just see Vulnerability Management as another checkbox in pursue of compliance and forget or ignore many different aspects or they don’t have concrete foundations to carry out a well drilled and oiled Vulnerability Management process and the process complicates or fails mid-way. Our job is to make the process as smooth as possible and sometimes it is better to start at step 0.
The earth has been trembling for a while now, the great Himalayan quake has left the Nepalese dazed and razed. In India we have been rumbling for weeks now, we are all scared of the unknown. None can predict the timing of an earthquake.
My professional service line is equally unpredictable. I work in the area of software security yet I cannot predict a breach. I can map an organization with vulnerable-seismic zones and can quantify the severity of a breach (a la Richter scale) yet I cannot predict the exact timing of a breach.
Like in an earthquake as the great tectonic plates move and collide, the vulnerabilities also connive to move in groups and expose an oceanic trench for the prying hacker waiting with his fishing rod for a prized catch. Vulnerability management often misplaced in the shoes of a vulnerability assessment is not adequate to secure organizations.