Hard2bit

Financial services · Vulnerability management

A vulnerability management programme at a financial services company

A European financial services company operating in Spain has run our continuous vulnerability management programme for three years: recurring scanning of infrastructure and applications, prioritisation by real risk, remediation coordinated with its teams and suppliers, and a monthly committee with metrics management actually understands. Critical vulnerabilities open beyond 30 days are now the exception, not the rule.

Sector

Financial services

Size

European company · operating in Spain

Service

Continuous vulnerability management

Scope

infrastructure + applications

Duration

3 years (ongoing)

Outcome

criticals >30 days ≈ 0 · SLAs met

The starting point

The company was not starting from zero: there were scans, there were reports and there was goodwill. What there was not was a process. Scans ran on an irregular basis, results arrived as lists of hundreds of findings sorted by technical severity — with no distinction between an internet-facing server and an isolated test machine — and remediation depended on some internal team finding a gap between its own priorities. The outcome was the familiar one: critical vulnerabilities sitting open for months, and nobody able to say how many, since when, or whose they were.

In a financial business that is not merely a technical problem: it is a risk that regulators, auditors and institutional clients ask about in writing. The company needed to move from scanning occasionally to managing continuously — with deadlines, owners and metrics it could put on the table.

How we approached it

  1. Inventory and baseline — before scanning better, know what is being scanned: an inventory of infrastructure and applications, identification of internet-facing assets and of those underpinning critical business processes, and a first complete picture of the real state of play. That baseline set the severity-based remediation SLAs that have governed the programme ever since.
  2. Recurring scanning of infrastructure and applications — monthly cycles across the whole estate, with a tighter cadence on the exposed perimeter and additional runs after significant changes. No annual snapshots: the estate changes every week and vulnerabilities are published every day.
  3. Prioritisation by real risk, not by raw CVSS — every finding is weighed through three lenses: technical severity, exposure (is it reachable from the internet, and from where?) and business context (which process does the asset underpin?). A critical on an isolated machine can wait; a medium on the business perimeter cannot. That short, ordered list is what gets worked — not a several-hundred-line dump nobody reads.
  4. Remediation coordinated with internal teams and suppliers — every prioritised vulnerability leaves with an owner, an SLA-based deadline and the technical detail whoever patches needs. We coordinate: chasing overdue items, escalating blockers, documenting compensating mitigations where a patch is not viable, and verifying every closure in the next cycle.
  5. A monthly committee with metrics management understands — every month, a follow-up committee with the figures that matter: exposure time by severity, SLA compliance, backlog age and accepted risks pending review. In business language, with decisions on the table — not a technical annex nobody opens.
  6. Continuous improvement of the programme itself — SLAs are reviewed against each year's data, false positives feed back into scan tuning, and each cycle's lessons — which supplier is slow, which platform concentrates findings — become preventive actions. The third-year programme detects better and interrupts less than the first-year one.

Results

≈ 0

critical vulnerabilities open beyond 30 days: from months of exposure to practically none

3 years

of continuous programme with remediation SLAs met

12/12

annual follow-up committees held: stable governance, not a one-off project

The most visible change sits in the metric that actually protects: exposure time. Critical vulnerabilities that used to sit open for months are now resolved within SLA, and the ones that do exceed 30 days can be counted on one hand — each with its compensating mitigation documented and its review date set. When an auditor or an institutional client asks, the answer is no longer improvised: it is printed.

The less visible change is cultural. Three years and twelve annual committees later, vulnerability management has stopped being a project with a beginning and an end and become part of how the company is governed: management knows its figures, teams know their deadlines, and the programme survives holidays, workload peaks and staff changes — which is exactly what a process is supposed to do.

What made it work

  • Vulnerability management is a continuous process, not an annual scan: the estate changes every week and vulnerabilities are published every day.
  • Without involving those who fix — internal teams and suppliers —, the report dies in an inbox. Coordination is half the service.
  • The metric that protects is exposure time, not finding count: a thousand vulnerabilities closed in days are less frightening than ten criticals open for six months.

Frequently asked questions

What is the difference between a vulnerability scan and a management programme?

A scan is a snapshot: it lists what exists at one moment and dies in a PDF. A management programme is a continuous process with owners, deadlines and governance: recurring scanning, prioritisation by real risk, remediation coordinated with the people who have to execute it, verification that what was fixed stays fixed, and metrics that evolve month by month. The practical difference is simple: a scan tells you how many problems you have; a programme makes sure you have fewer every month — and that the worst ones stay open for less time.

How often do you scan, and who fixes the vulnerabilities?

Scanning is recurring — monthly as a baseline, with tighter cycles on internet-facing assets and additional runs after significant changes — and covers both infrastructure and applications. Remediation is executed by those who know each system: the client's internal teams and their suppliers. Our role is to make that happen: we prioritise, assign with severity-based deadlines, provide the technical detail whoever patches needs, chase overdue items and verify closure. Without that coordination, the most brilliant report fixes nothing.

What metrics do you report to management?

The ones that measure exposure, not activity: mean time to remediate by severity, compliance with remediation SLAs, backlog age and the trend of open critical vulnerabilities — especially those past 30 days, which is where real risk lives. At the monthly committee those metrics are presented in business language: what risk has been removed, what remains open and why, and which decisions need management. An executive does not need to know how many CVEs there are: they need to know how long their company stays exposed.

What happens with vulnerabilities that cannot be patched?

They are treated, not ignored. When a patch does not exist, breaks an application or depends on a supplier who will not deliver in time, compensating mitigations are applied — segmentation, filtering rules, configuration hardening, reinforced monitoring — reducing exploitability even though the vulnerability remains. And if residual risk is accepted, it is accepted in writing: who accepts it, why, until when and under what review conditions. A documented, accepted risk is a business decision; an ignored one is a surprise waiting for a date.

Related services

How long have your criticals been open?

If you cannot answer with a number, your scan is not a programme. We build continuous vulnerability management with risk-based prioritisation, coordinated remediation and metrics that management — and the auditor — understand.