Vulnerability Management (VM) is not a terribly complex process to understand. Scan, evaluate, remediate, validate, then rinse and repeat forever. It can even be taught to people possessing only the desire to learn but otherwise lacking in technical skills and knowledge.
When starting out, I recommend placing your emphasis on the development of successful behaviors rather than diving in head first and risk being overwhelmed by the breadth of knowledge and skill required. Successful Vulnerability Management is first and foremost a good habit.
If your experience is an email-centric workplace, your first instinct is to pour a mug of coffee or breakfast tea before sitting down and firing up Outlook. That is a good habit for everyday work, but it is probably not a good habit for Vulnerability Management.
I recommend starting your VM practice early morning—about 6 AM. Obviously, later is not a deal breaking, but the idea is that you want to afford yourself a significant amount of undisturbed time for a quality review and analysis of the most recent scan data.
Beginning your day by responding to an endless stream of email is almost certainly the path to ineffective Vulnerability Management practices—at least for the newcomer. There will be a time for all of that after your risk-based VM (RBVM) analysis and remediation plans—about 11 AM.
When a relative newcomer to Vulnerability Management starts their days reviewing scan data, you know you have established the most important behaviors to succeeding in RBVM—consistency and focus. The rest can be learned and repertoires of knowledge built over time.
Old habits tend to die hard when you’re cross-training an experienced hand from another arena. Try scheduling top of the morning meetings to review vulnerability scans with them. Always the question to ask is what can you do today or plan for tomorrow that will move the needle?
Practice makes permanent. Sit with newcomers and review scan data together. You might say “I see 5 vulnerabilities that we could remediate today. Can you identify them?”, then walkthrough the logic and discuss aspects of the problem and solution. This is a basis for practical RBVM.