Vulnerability Management Maturity Model - VM3

Organizations are under attack and data breaches have risen drastically over the last 5 years.According to a recent Ponemon Institute study1, “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data”, - 91 percent of healthcare organizations have suffered at least one data breach since 2013. Further, a study2 released by QuinStreet in April of 2015, reveals 76 percent of organizations experienced a data breach in 2014. Recent intelligence released as part of the Verizon 2015 DBIR3 reveals that with regard to data breaches involving known vulnerabilities, “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”

This intelligence reveals organizations are not doing enough with respect to vulnerability management and highlights a strong need for organizations to learn and evolve their vulnerability management programs. This guide provides the means to achieve higher levels of vulnerability management maturity.

This whitepaper documents a Vulnerability Management Maturity Model (VM3) which organizations can use to gauge where they stand as well as to help guide them in their VM evolution. Its intended audience includes C-Level executive decision makers, as well as security practitioners at all organizational levels who are interested in understanding and controlling their security risk and evolving their VM process.