Vulnerability Management is an essential role in any organisation. Depending on the size of an organisation, this role could be working individually or as part of a larger vulnerability management or cyber security team. 

At the junior level in Vulnerability Management responsibilities could include: 

• assisting the team in looking for potential vulnerabilities in the organisation’s systems 
• using investigative and analytical skills to the full 
• Growing expertise and expanding knowledge at the same time 

• opportunities to be involved in many projects, programmes and initiatives across an organisation 

With more experience, these responsibilities may include: 

• conducting and interpreting vulnerability scans 
• involved with the team responding to security incidents 
• working out the root causes of incidents and collating the lessons learnt 

• driving fundamental change within the organisation by helping to develop security initiatives 

Vulnerability Management protects information systems and assets by identifying and closing off vulnerabilities in devices, systems and networks. 

In detail, you may: 

• stay up to date with reports of vulnerabilities in ff-the-shelf software and hardware 
• research potential vulnerabilities in the organisation’s systems 
• identify and prioritise vulnerabilities 

• propose and implement mitigations for identified vulnerabilities 
• work on different projects such as patch compliance and sector-specific compliance (for example, with PCI-DSS standards) 
• work with our internal and external Certifying Authorities (CA) 
• configure ADFS and remote access solutions 
• run network and application vulnerability scans 

• provide support to and work directly with clients on vulnerabilities 
• write and deliver client reports 

Job Titles 

For Vulnerability Management roles, titles include: 

• Cyber Security - Vulnerability Manager  

• Vulnerability Management Analyst  
• Vulnerability Scanning Specialist  
• Infrastructure Engineer SCCM/Vulnerability Remediation 
• Infrastructure Analyst - Vulnerability Management 
• IT Specialist Info Security 

For more experienced Vulnerability Management roles, titles include: 

• Senior/Lead Threat and Vulnerability Analyst  
• Senior/Lead IT Security Analyst - Vulnerability Management 

Salaries 

A Vulnerability Management role could earn between £30,000 and £70,000. The median figure in March 2021 was £39,000. 

A senior Vulnerability Management role could earn between £50,000 and £95,000. The median figure in March 2021 was £68,000. 

These figures are dominated by the salaries for jobs in the large cities in the UK; salaries elsewhere may be lower. 

The salary ranges are based on job vacancy advertisements published online in March 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 16 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Cyber Security Governance & Risk Management 

Core knowledge – you will need a very good understanding of these areas 

Security Operations & Incident Management  

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Web & Mobile Security 

Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models. 

Related knowledge – you will need a solid understanding of these areas 

Malware & Attack Technologies 

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches. 

Adversarial Behaviours 

The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.  

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Wider knowledge – these areas will help to provide context for your work 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Skills 

Personal attributes 

• an inquisitive nature and a problem-solving approach 
• prioritises work and escalates issues appropriately 
• interpersonal skills enabling effective interaction with technical and non-technical teams 

• verbal and written communication skills 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• interpreting, analysing, and reporting information/data security events and anomalies in accordance with Information Security directives 
• assessing new vulnerabilities, investigating solutions, and recommending controls to minimise risks that could arise 

• operating network intrusion detection, forensics, network access control, and other information security systems 
• troubleshooting and resolving failed patch installations and SCCM automation jobs 
• configuring and troubleshooting networks 
• using network and application scanning tools and utilities, such as SCCM, Nexpose Rapid 7, HP WebInspect, HCL AppScan, Nessus, Burp Suite and NMAP 
• configuring encryption protocols and algorithms 

• onboarding and decommissioning devices 
• maintaining an asset database 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

E2 – Secure Operations & Service Delivery 

Principles: 

• securely configures and maintains information, control and communications equipment in accordance with relevant security policies, standards and guidelines 
• this includes the configuration of Information Security devices (e.g., firewalls) and protective monitoring tools (e.g., SIEM) 
• implements security policy (e.g., patching policies) and Security Operating Procedures in respect of system and/or network management 
• undertakes routine technical vulnerability assessments 
• maintains security records and documentation in accordance with Security Operating Procedures 

• administers logical and physical user access rights 
• monitors processes for violations of relevant security policies (e.g., acceptable use, security, etc.) 

F1 – Intrusion Detection and Analysis 

Principles: 

• monitors network and system activity to identify potential intrusion or other anomalous behaviour 

• analyses the information and initiates an appropriate response, escalating as necessary 
• uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings 
• monitors, collates and filters external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes 
• ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available 
• produces warning material in a manner that is both timely and intelligible to the target audience(s) 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role which carries out research, closely analyses a situation or event, and shares findings with colleagues may provide a foundation, with additional specialist training, for moving into Vulnerability Management. 

Such roles include: 

• police services: detection and intelligence roles 
• military services: intelligence analysts 
• business assurance 
• communications engineers 

Linked Specialisms 

• Digital Forensics 
• Incident Response 
• Cyber Threat Intelligence 
• Network Monitoring and Intrusion Detection 

Moving On 

From a role in Vulnerability Management, you might move into another cyber security specialism, such as: 

• Incident Response 
• Cyber Threat Intelligence 

• Digital Forensics 
• Cyber Security Governance & Risk Management 

With experience, you may become a Senior Vulnerability Manager or Analyst. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training