I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook".
And if you survey big CISO organizations today, you'll still find a lot of TVM departments.
I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing Threats and Vulnerabilities. It's a bizarre pairing. Threats are more strategic and aligned with setting the program mission. Are we in the crosshairs for state-sponsored actors during war time? Information thieves? Fraudsters? On a more tactical level, threat intelligence is about collecting specifics under that mission to inform red teaming or control tuning. But vulnerabilities are a totally unrelated animal. While vulnerabilities should be literal and include the full range of issues that can lead to exploitation including configuration errors, code mistakes, shortcomings in backgrounds checks, and so much more, I can say from experience that the industry uses the term narrowly to talk about the output from vulnerability scanners. That's it. And so we have these TVM teams that are really tasked with managing vulnerability scanners all day. That translates into wading through false positives, generating reports on the tool output, and harassing coworkers about patching.
But our internal customers have limited bandwidth and patience for security already, and when a TVM team comes knocking about a desktop patch that needs to be applied or shows a report of critical and high vulnerabilities last quarter with remediation status, the audience feels the security story is complete and doesn't stick around. They miss the exact same report from AppSec about the static code analysis tool results, and the slides about software composition analysis results. They miss the attack surface management presentation, and the cloud security posture management report. They certainly don't get to hear about the pen test results, or the findings from the last regulatory exam. We take the audience on the same emotional rollercoaster for every toolset, and then add and remove tools quarter to quarter to make it even more confusing.
What we really need is to stop talking about vulnerabilities, and start talking about risks. We need risk management - not vulnerability management. The "R" in Governance, Risk, & Compliance (GRC). "But we already have a risk management team," you say. "They just map our policy paragraphs to NIST framework citations and make useless heat maps comparing insider threat to malware".
Exactly. And there you have it. Risk Management needs to be technical enough to handle vulnerabilities, and vulnerability management needs to lose the "scanner jockey" mentality. Audit findings, red team results, bug bounty cases, SAST output and yes - even vuln scanner output need to flow through the same rubric, urgency calculation, remediation assignment, and reporting workflows. A good GRC team will not only tolerate that level of detail and technical work, but demand it.