More about a career in Vulnerability Management
If you're passionate about IT security, then working in vulnerability management is an interesting and essential role in any organisation. You might work as a solo practitioner or as part of a larger vulnerability management or cyber security team.
At a junior level, you probably work under supervision, assisting the team in looking for potential vulnerabilities in the organisation's systems. You use your investigative and analytical skills to the full, growing your expertise and expanding your knowledge at the same time. There may be opportunities to be involved with many projects, programmes and initiatives across your organisation, as well as within the cyber team itself.
As a more experienced practitioner, you conduct and interpret vulnerability scans. You're probably involved with the team responding to security incidents, working out the root causes of incidents and collating the lessons learned. You drive fundamental change within the organisation by helping to develop security initiatives; this may include briefing and educating other teams within the organisation on vulnerabilities and solutions to them, or mentoring junior team members.
You may be responsible for providing reports to clients on their systems’ vulnerabilities, turning technical analysis into something that non-technical readers can understand.
Overall, you will help protect information systems and assets by identifying and closing off vulnerabilities in devices, systems and networks.
In detail, you might:
- stay up to date with reports of vulnerabilities in ff-the-shelf software and hardware
- research potential vulnerabilities in the organisation’s systems
- identify and prioritise vulnerabilities
- propose and implement mitigations for identified vulnerabilities
- work on different projects such as patch compliance and sector-specific compliance (for example, with PCI-DSS standards)
- work with our internal and external Certifying Authorities (CA)
- configure ADFS and remote access solutions
- run network and application vulnerability scans
- provide support to and work directly with clients on vulnerabilities
- write and deliver client reports
Some organisations have a dedicated cyber security team and, depending on the organisation's size, may have a threat/vulnerabilities management team within that. Smaller organisations may have only one more experienced individual to look after all their cyber security requirements, including Vulnerability Management.
- is likely to be part of a team of mixed cyber security specialists
- assists with tracking and assessing vulnerabilities and managing the closure of vulnerabilities which create risks for the organisation
A senior practitioner:
- provides information and advice to other specialist and internal/external teams, generating awareness of cyber vulnerabilities and their solutions
- helps, as a team leader, provide career development and guidance to junior analysts
- an inquisitive nature and a problem-solving approach
- prioritises work and escalates issues appropriately
- interpersonal skills enabling effective interaction with technical and non-technical teams
- verbal and written communication skills
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- interpreting, analysing, and reporting information/data security events and anomalies in accordance with Information Security directives
- assessing new vulnerabilities, investigating solutions, and recommending controls to minimise risks that could arise
- operating network intrusion detection, forensics, network access control, and other information security systems
- troubleshooting and resolving failed patch installations and SCCM automation jobs
- configuring and troubleshooting networks
- using network and application scanning tools and utilities, such as SCCM, Nexpose Rapid 7, HP WebInspect, HCL AppScan, Nessus, Burp Suite and NMAP
- configuring encryption protocols and algorithms
- onboarding and decommissioning devices
- maintaining an asset database
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
E2 – Secure Operations & Service Delivery
- securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines
- this includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM)
- implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management
- undertakes routine technical vulnerability assessments
- maintains security records and documentation in accordance with Security Operating Procedures
- administers logical and physical user access rights
- monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.)
F1 – Intrusion Detection and Analysis
- monitors network and system activity to identify potential intrusion or other anomalous behaviour
- analyses the information and initiates an appropriate response, escalating as necessary
- uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings
- monitors, collates and filters external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes
- ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available
- produces warning material in a manner that is both timely and intelligible to the target audience(s)
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role in which you carry out research, closely analyse a situation or event, and share findings with colleagues may provide a foundation, with additional specialist training, for moving into Vulnerability Management.
Such roles include:
- police services: detection and intelligence roles
- military services: intelligence analysts
- business assurance
- communications engineers
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Vulnerability Management role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
You may get started in this specialism as an apprentice.
Alternatively, you may start as a graduate, with a degree in:
- cyber security or information security
- computer science/engineering
- IT/communication systems engineering; or
- a similar discipline requiring strong research and analysis skills
Or, you may transition into this specialism from another specialist cyber security or IT roles, such as:
Practitioner roles may be titled:
- Cyber Security - Vulnerability Manager
- Vulnerability Management Analyst
- Vulnerability Scanning Specialist
- Infrastructure Engineer SCCM/Vulnerability Remediation
- Infrastructure Analyst - Vulnerability Management
- IT Specialist Info Security
Senior practitioner roles may be titled:
- Senior/Lead Threat and Vulnerability Analyst
- Senior/Lead IT Security Analyst - Vulnerability Management
A vulnerability management practitioner might earn between £30,000 and £70,000. The median figure in March 2021 was £39,000.
A senior vulnerability management practitioner might earn between £50,000 and £95,000. The median figure in March 2021 was £68,000.
These figures are dominated by the salaries for jobs in the large cities in the UK ; salaries elsewhere may be lower.
The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.