Vulnerability Management: Weathering The Storm


The recent storms have reminded me of the value of having an effective vulnerability and remediation program. Following a weekend trip to London, I woke up this morning to discover the storm damage that was caused to the roof of my new build home (Summer 2016):

These storms appear to have ripped off the facias of the roof of my Persimmon-built home but does this represent superficial damage or could this be something more substantial or impactful?

Vulnerability Analysis and Resolution

In 2016, the Carnegie Mellon University released their CERT Resilience Management Model (CERT-RMM) Collection, which includes dedicated content on the topic of Vulnerability Analysis and Resolution (VAR) CERT-RMM.

This explains the purpose of VAR as being:

“To identify, analyze, and manage vulnerabilities in an organization’s operating environment.”

and breaks down the goals and objectives of VAR:

Much like my roof situation, the first thing that I need to do is to prepare for the Vulnerability Analysis and Resolution.

VAR:SG1 Prepare for Vulnerability Analysis and Resolution

  • Scope.
  • Is this storm damage restricted to the roof fascia or could this have further implications to other structures of my home?
  • Strategy.
  • How might I approach this?
  • Do It Myself?
  • Bring in a roofing specialist?

Next, I need to understand and analyse the vulnerabilities that are associated with this storm damage.

VAR:SG2 Identify and Analyze Vulnerabilities

  • Sources of vulnerability information.
  • My first source of vulnerability information was gained when I first saw the storm damage.
  • My next source of information was from the photographs that I have taken. By zooming in on the images, I can get a better idea of the potential implications of this storm damage.
  • Discover vulnerabilities.
  • Are the vulnerabilities limited to the roof fascia?
  • Analyze vulnerabilities.
  • Is this damage supefiscial or could this lead to further damage or implications?
  • Do I need to get a roof specialist to come in to assess the strom damage?
  • Are there any more storms forecasted?

Having an understanding of the vulnerabilities that are associated with this storm damage, I then need to plan on how I will manage the potential exposure to these vulnerabilities.

VAR:SG3 Manage Exposure to Vulnerabilities

  • Manage exposure to vulnerabilities.
  • Could this potentially superfiscial storm damage have further implications?
  • Could this have loosen any connecting roof tiles?
  • Could this allow water ingress, causing water damage to the property?
  • Could an attached roof tile have been loosened, which if this came loose could fall from the roof leading to serious harm to someone passing underneath?
  • Should I prioritize getting my roof damaged fixed, or can this wait?
  • What was the feedback from the roof specialist?
  • What is the potential cost-benefits?

Finally, I need to understand the potential root cause and whether any remediation works will prevent future storms from causing similar damage.

VAR:SG4 Identify Root Causes

  • Perform root-cause analysis.
  • Was this storm damage caused by poor construction practices by the property development company (Persimmon Homes)?
  • Was this due to the location of the property?
  • Elevated position.
  • West-facing.
  • Open land to the west of the home.
  • Global warming.
  • Will any repairs effectively reduce the potential impact and the risks of reoccurence, providing sufficient assurance?


Now, whilst I try to deal with this latest drama, why not have a look at your business’ vulnerability management practices and evaluate how effective it might be at providing the context you need to help prioritize your remediation efforts, to help you prioritize the tasks to efforts to fix any identified impactful vulnerabilities.

  • Do you understand your internet-facing (fascia) vulnerabilities and how they might impact the business or other associated/connected assets?
  • Could the fascia vulnerabilities provide additional vulnerabilities (water ingress) to you business?
  • Do you understand the role of each of your assets and how their associated vulnerabilities might impact your valued business operations?


As seen with the recent storm damage to my home, context is everything. You need to ensure that as well as identifying any new and existing vulnerabilities, you need to understand what the affected assets do and their potential importance to your valued business operations (aka Asset Definition and Management (ADM)).

Without this, it is extremely difficult to appreciate their importance and, as a result, the vulnerabilities may go unremediated or will not be suitably prioritized for remediation.

Consequently, having an effective ADM and VAR should be regarded as your organization’s number 1 and 2 priorities, in support of the development of a proactive defensive strategy.