Building a Continuous Vulnerability Management Strategy

William Bell
Vice President, Solutions and Products

In IT, the one constant that we must learn to accept is change. Sometimes change is incremental and sometimes change can fundamentally transform how we do business on a global scale. Change often brings with it a mix of opportunity and risk to our businesses.

Risk is usually a function of moving too quickly without a clear plan or not moving quickly enough to seize an advantage. In this article, I want to specifically focus on the need to establish and maintain a discipline of vulnerability management in the face of constantly changing circumstances.

One of my early interests was chess and I was inspired to rediscover this game after watching the Netflix mini-series “The Queen’s Gambit.” In this process of rediscovery, I kept finding that the strategy and tactics used to have a winning advantage in a chess game are very applicable to those we need to employ in vulnerability management.

Understanding the Stakes

In chess, the entire game hinges on one simple rule: if your king is checkmated, then you lose the game. In our digital lives, our data is king. Whether it be customer financial data, patient health information, access control information for critical energy infrastructure or anything that would disrupt or harm our business if compromised.

There are a growing number of challenges facing organizations today that can create real threats to our valued assets. They include:

  • Employee churn
  • Lack of documentation and standardization
  • Increase of internal threats
  • Increase in cyber-offense capacities
  • Costly compliance requirements
  • Gaps in visibility of security risks to the business

Understanding the Pieces

In chess, our pieces are tools, each with different strengths and weaknesses. They are most effective when used in a coordinated fashion to execute a specific strategy. The strength of a given piece and how it can be used to establish or maintain an advantage will evolve as the game progresses. This is more of an adaptive process than a prescriptive one.

Similarly, we must achieve and maintain an understanding of all the tools, processes, and resources we have available to coordinate and execute a successful vulnerability management strategy. Having tunnel vision on a single component means we could lose vision of the entire board, which decreases our ability to detect vulnerabilities and manage threats.

A good rule of thumb is to ensure you have a solid implementation of the basic controls and frameworks, such as the CIS Controls (, and build from there.

Getting to a winning endgame

A chess game is divided into three phases: the opening, the middlegame, and the endgame. In the opening, there are several key principles that should be adopted if you want to equalize your position or gain an advantage. These same principles can be applied to how we approach vulnerability management:

  1. Develop your pieces quickly – You have to be agile, and move quickly and with purpose. In vulnerability management, this means being proactive in identifying and acting on threats to our assets, as well as consistently seizing opportunities to improve our overall cybersecurity posture.
  2. Control the center – The center of the board marks the boundary to your territory, and you should utilize your opening moves to establish and maintain control of any avenues your opponent could use to compromise your position. The requirement here is to establish and continuously re-evaluate “best practices” when executing our cybersecurity playbook. The execution needs to be effective, and every move should have a clearly understood purpose.
  3. Protect your assets – You not only need to protect your most valuable assets, but you also need to insulate the pieces that protect those assets. For example, protecting a customer’s financial data requires that we are also protecting the network systems that transport that data. Bottom line: make sure you have a comprehensive inventory of your IT assets where they are, how they are being used, and the conditions that can put them at risk.
  4. Have a clear understanding of your strategy – As in chess, you need to have an actionable strategy when approaching vulnerability management. A game plan, if you will, of how you are going to advance your pieces while maintaining a solidly defensive posture.

In the middlegame, we continue to employ and adjust the strategy we establish in the opening. I say adjust because the one constant we have is that the position on the board is always changing. The objective in the middlegame is to: Detect, Disallow, and Disrupt.

This is the same objective we need to apply to our lifecycle and vulnerability management. We need to continuously acquire, assess, and act on new information to identify vulnerabilities, execute remediation strategies, and minimize the window of opportunity for attackers.

We should be continuously monitoring our position for weaknesses and our opponent’s position for threats. Moreover, we must minimize the gap of time between detection of weakness and employing an effective defense of our position.

Probably the most important lesson I have been able to extract from Jesús de la Villa’s book “100 Endgames You Must Know” is that when you arrive at the endgame, it is always objectively winning, losing, or drawn. All positions are “known.” The difference between a win and a loss comes down to whether we know how to play our position correctly. We should strive to ensure that our vulnerability management strategy accounts for all possible endgames. Our predefined playbooks, workflows, and prescribed actions should facilitate speed and precision in our response to a breach.


In chess, as in vulnerability management, the strategies we establish in the opening, our ability to be agile and adapt our tactics in the middlegame, and the degree of success we have at detecting and disrupting our opponent’s threats throughout will determine if we have a winning endgame or if we will be checkmated.

NetCraftsmen has decades of experience with architectural governance, security by design, and continuous lifecycle management. We have helped customers establish and maintain sustainable vulnerability and compliance solutions in their enterprise and cloud environments. Learn more about how NetCraftsmen can support your vulnerability management strategy with Craftsmen Assurance®.