I know, boring topic. Just part of IT and Security operations. Nothing sexy here. It’s way more fun to think about how to beat those nasty, mean APT’s, how to detect malware actively on your network, how to do fancy risk management presentations.

But there are two things that are part of your reality, information security people, that make Threat & Vulnerability Management an imperative for you if you wish to succeed.

First, all the “basics” of security are part of the CISO’s “below the line” activity. Below the line activity is the activity that is just your job. The rest of your organization realizes it exists, realizes it is important and expects you to do it. The CEO does not care about your patching metrics, he or she just wants it done. If you fail at this and it leads to a major problem, your job is in serious jeopardy.

Second, because most organizations are not doing a particularly good job with vulnerability management (and therefore patching), the bad guys are exploiting you wi…