Program and Organization

The structure and composition of an information technology or compliance organization can have a significant impact on the effectiveness of vulnerability management (VM). A capable program manager will be able to control the quality of each component and mediate the flow of feedback to keep the overall program on track. When the development of technology takes place in parallel with the organizational and procedural phases of the program, feedback must also inform upwardly, adjacently, and downwardly. The feedback from the technology development program will inform the parallel organizational program. Since security is the ultimate goal of a VM system, it is natural that Security is a key participant and possibly full owner and operator of the VM program. Human Resource is an instrumental part of the reporting process as well as the “stick” part of security policy. Another important type of policy pertains to the usage of the VM system itself. This policy would highlight key operational constraints.