We changed our name from IT Central Station: Here's why

What is a more effective approach to cyber defense: risk-based vulnerability management or vulnerability assessment?

In the past vulnerability assessment has been the primary approach used to detect cyber threats. 

Risk-based vulnerability management has become increasingly popular. 

How do each of these approaches work, and which do you think is more effective?

ITCS user
55 Answers

author avatar

Vulnerabiity Assement is a useful process but it's still a snap-shot of your security posture. 

Risk-based Vulnerabiity Management is a dynamic, ongoing process as part of your cyber protection strategy, integrating with your installed systems, monitoring progress and taking your assets criticality into consideration.

author avatar

As soon as a vulnerability assessment is complete, it is obsolete. Your environment changes daily/weekly/monthly. Assessments are "a point in time". Vulnerability Management is continuous, and seems to me to be the better strategy.

author avatar
Top 20User

A risk-based approach is more effective but we need to go beyond just risk-based vulnerability assessment. We need to take into account the impact on our business and brand reputation of data being compromised, we need to take into account whether we are getting better or worse at securing our data and we need to be clear that we need continuous monitoring to maintain our security posture. We also want to see our risk score in an easily understandable way

author avatar
Real User

I think risk-based vulnerability managemente it´s the way to go since you only try to solve those vulnerabilities that represent a real risk intead of just using the CVSS score. For example when you use a risk-based approach you take into account the level of importance (based on business) of the system you are trying to protect.

author avatar
Top 5LeaderboardReseller

YOU are right that earlier vulnerability assessment was very basic and done as reactive manner, after that proactive manner was introduce where it use to compare with best practice and industry threats. But now in this world of ZERO day attack we really need very Advance and RIsk base vulnerability assessment solution. And as per me this tool need to be base on AI and ML. It means Tool should contain power of Analytics & AI, Real Time Risk Monitoring, Report, Verify & Action.

Find out what your peers are saying about Tenable Network Security, Rapid7, Morphisec and others in Vulnerability Management. Updated: January 2022.
563,780 professionals have used our research since 2012.