Over 6 years ago, when working for a Professional Services organization and responsible for developing key Security propositions for customers, I first developed an approach for "Vulnerability Lifecycle Management".
At the time the solution involved manual integration of a range of technologies from a range of different vendors:
- network vulnerability assessment tool
- patch management tool
- compliance management tool
- risk reduction tool (Host based IPS)
- security intelligence feed
At that time this involved a identifying a range of tools from a number of different vendors, and the associated technical and procedural integration of inputs and outputs from each. There were challenges with the different cost models to license this complex solution, let alone the technical integration of the various input and output formats.
Jumping forward from 2006 to 2012 and this type of solution is entirely deliverable from a single set of integrated tools delivered by Symantec.
The Control Compliance Suite, through integration with Altiris, Deepsight and Critical System Protection enables an organization to implement a complete Vulnerability Lifecycle Management solution.
Not only that, but it also addresses the challenge of delivering policy and procedural controls with supporting evidence.
It has never been so easy for an organization to address this ever more important facet of Information Security with automated and efficient tools.
So, why are organizations still challenged with addressing this? I'd value any and all comments to this post while I seek feedback from the customers I talk with on a daily basis.