Blog post

The New Vulnerability Management Guidance Framework

By Augusto Barros | October 25, 2019 | 8 Comments

vulnerability managementSecurity Operations for Technical Professionals

After a huge delay I can finally announce that the new version of our Vulnerability Management Guidance Framework is out! Although it is a refresh of a document that has gone through many updates (even before my Gartner time), this one has some very nice new stuff to mention. First, we refreshed our VM cycle and it’s closer to the reality of most organizations now:

This versions includes a revamped prioritization section, as well as some additional content on vulnerability assessment options. In the past we left most of the VA content for another document, but now it’s back to the VM guidance.

Some interesting pieces of this version:

  • One of the most common ways to fail at VM is by simply sending a report with thousands of vulnerabilities to the operations team to fix. Successful VM programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.
  • Organizations adopting DevOps practices must adopt an approach integrated to continuous integration/continuous delivery (CI/CD) cycles and addressing issues at preproduction stages.
  • Include the identification of underlying issues as one of the main objectives of the VM process. Although it is still important to find and address individual vulnerabilities, VM should also provide insight into areas that need to be improved in the organization’s security posture.
  • [On VA scanning frequency] The ultimate frequency goal should reflect the value of providing refreshed vulnerability data to consumer processes, such as patching and security monitoring. If those processes will not benefit from more frequent scans, there is really no point in trying to achieve a higher frequency.
  • Mitigation can often be the first line of defense, especially if it can be implemented quickly. However, mitigated vulnerabilities are not gone. They still need to be fixed eventually.
  • All exceptions must have an expiration date. Do not allow indefinite exceptions.

In general, it’s a far clearer document and easy to read now. Thanks Anna Belak for your magical wordsmithing powers!

We are always looking for detailed feedback on our papers. Feel free to drop some comments here if you read the doc.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment


  • Vishwesh says:

    How can we improve the patch process from operation /server team,as they depend only on SCCM. Which will identify the missing KB and patch,but it left behind the registty fixes recommend by Ms.

    In some cases , DLL or registry not updated after patching . Still the tool will report vulnerability .

    Application patching remain question to most of the org, as no clear owenship.

  • Mreetyunjaya says:

    Its wonderful representation of Vulnerability Management , if we move the assign value to the pre work phase may add more value on what to assess

  • Chris Farrell says:

    Would it be possible to change this document’s settings to make it available for individual purchase? Would very much like to read it, but it’s not available on my Gartner subscription.

  • michael mosca says:

    How do we get access to the Vulnerability Management Guidance Framework

    • Augusto Barros says:

      Michael, it is available to those with a Gartner For Technical Professionals subscription. Check in your organization what type of Gartner services you have access to.