How VMware IT Delivers Effective Vulnerability Management. Hint! It Takes More Than Technology (Part 2)

Photo of Person Sitting at Laptop

By Colin Minihan, Director, Cloud Application Security

In part one of our blog series, we discussed how VMware IT used technology to advance its approach to vulnerability management for addressing changes to the development and operation of software solutions, continued digital transformation, and a cloud focus. In this blog, we focus on the value of communication and collaboration with other VMware IT teams.

At VMware, our approach with vulnerability management is collaborating with teams operating corporate and cloud services. The vulnerability management team focuses on discovering security vulnerabilities, informing relevant stakeholders, and supporting the remediation or mitigation of discovered vulnerabilities.

Beyond Discovery and Notification

Following notification, the vulnerability management team does not take a passive role in remediation. Discovered vulnerabilities are communicated to operations teams that can patch or harden against the vulnerability. We communicate with the leadership on how well VMware service level agreements (SLAs) are met and whether there are operational or organizational improvements that require their involvement.

While the vulnerability management team must identify when stakeholders do not address security issues with risk-based urgency, we take a collaborative approach. We convey urgency, set agreed-upon resolution timelines, and ensure VMware engineers are knowledgeable about the steps required to remediate the security vulnerabilities.

As part of security and resiliency at VMware, the vulnerability management team is an essential source of information to the engineering and operations teams by helping to detect issues early and facilitate remediation. Beyond the automated notifications that are necessary to communicate individual security vulnerabilities to teams, we have an outreach program that includes conducting training, holding regular business unit interlock meetings, and presenting check-ins at leadership staff meetings.

To support ad hoc questions, we make ourselves available to assist teams during office hours, on messaging channels, and with distribution mailing lists. Since our team has visibility across the enterprise, we often connect operations teams with others who have faced similar vulnerabilities and advise on successful remediation steps.

Communication and Collaboration: Essential for Effective Vulnerability Management

The vulnerability management team leverages an array of discovery techniques for identifying vulnerabilities, and communicates these at scale using automation and contextualized, risk-based recommendations. We extend this value by supporting teams and leaders throughout the remediation process with advice on both tactical security fixes and strategic organizational improvement opportunities.

In security, there is no such thing as zero risk and therefore we continue using the successful practices that work today while looking for new approaches. Our ability to respond quickly to technology evolution and adapt to change is our strategy for the continued success of vulnerability management at VMware. Effective communication and collaboration with our VMware IT colleagues will be essential for executing on that strategy.

If you missed part one of this two-part blog series, read it here.

VMware on VMware blogs are written by IT subject matter experts sharing stories about IT’s transformation journey using VMware products and services in a global production environment. Visit our portal to learn more or contact VMware on VMware to speak with one of our IT subject matter experts. Follow VMware on VMware on Twitter.

Posted by Editor