The Vulnerability Audit Episode
Transcript
Introduction to the Guest and Topic:
Host Allie Krings introduces Michael Petucci, a Senior Information Security Auditor at Kirkpatrick Price. The conversation focuses on vulnerability management, particularly how organizations identify, monitor, and remediate risks across their systems. Michael shares his background, explaining that he brings over 25 years of experience in healthcare IT and security, including time spent on the other side of audits as a network manager and IT director before transitioning into auditing to help a broader range of organizations.
What Is Vulnerability Management?:
Vulnerability management is an ongoing process that involves continuously monitoring, assessing, and improving the security of systems. It goes beyond simply installing antivirus software and includes ensuring systems are updated, patched, and properly configured. It requires organizations to evaluate both hardware and software across their entire environment.
What Does Vulnerability Management Look Like Up Close?:
For Individuals: Many people assume they are protected once they install antivirus software, but true security requires ensuring systems are regularly updated, scans are running properly, and devices are not using outdated hardware or operating systems.
For Companies: Organizations must maintain a complete view of their environment, including endpoints, servers, network infrastructure, and hardware. Vulnerability management includes monitoring all of these components and ensuring they are updated and secured as part of a broader, continuous process.
What Are the Biggest Gaps in Compliance?:
A major gap occurs when organizations do not have a complete inventory of their assets. Many focus only on visible endpoints like laptops and phones, while overlooking servers, network devices, and other infrastructure components.
Another common issue is “out of sight, out of mind,” where decision-makers are unaware of certain systems or infrastructure that still need to be protected. This lack of visibility creates vulnerabilities that can be exploited.
How Should Organizations Assess Their Systems?:
Organizations should begin by creating a full inventory of all assets. As Mike explains, “you can’t protect what you don’t know you have.” Once identified, auditors take samples of these assets to validate whether they are properly maintained, patched, and monitored according to policy.
Auditors also verify whether organizations are actually following their documented processes, such as patching schedules, antivirus updates, and scanning routines.
What Are the Best Practices for Vulnerability Management?:
Best practices depend on an organization’s risk tolerance but generally include regular patching and testing. Updates should be tested on a small subset of systems before being rolled out widely to avoid disrupting operations.
At a minimum, operating systems should be updated monthly, and critical or high-risk vulnerabilities should be addressed within 30 days.
How Should Vulnerabilities Be Prioritized?:
Vulnerabilities are prioritized based on severity. Critical and high-risk issues should typically be remediated within 15–30 days, while medium and low-risk issues can follow longer timelines depending on organizational policies.
This prioritization ensures the most serious threats are addressed first while still maintaining progress on less urgent issues.
Why Is Continuous Monitoring Critical?:
Cyber threats evolve constantly. Hackers are continuously developing new methods to exploit systems, meaning organizations cannot rely on periodic checks alone. Security must be an ongoing effort because attackers are actively trying to bypass protections at all times.
How Has the Industry Evolved?:
One of the biggest changes is increased awareness. Both organizations and individuals are becoming more conscious of cyber threats, driven by frameworks that require regular training and by real-world risks like ransomware and identity theft. This growing awareness has led to more mature security programs and stronger emphasis on protecting sensitive data.
What Advice Applies to Everyday Users?:
Don’t Click Unfamiliar Links: One of the most important pieces of advice is to avoid clicking on suspicious links in emails, texts, or social media posts. Many attacks rely on tricking users into interacting with malicious links.
Verify Through Trusted Channels: Instead of clicking on a link, users should contact organizations directly using known phone numbers or official websites to confirm whether a message is legitimate.
Think Before Acting: Users should pause and evaluate whether a message makes sense, such as questioning unexpected bills, alerts, or requests for information.
How Can Companies Ensure Compliance?:
Organizations must establish clear policies around vulnerability management, including patching schedules, monitoring practices, and testing procedures. Auditors then validate whether these policies are being followed in practice.
Compliance also requires aligning practices with industry standards and best practices, ensuring that processes are not only documented but effectively implemented across the organization.
Notes
In this episode, host Allie Krings sits down with Michael Petucci, Senior Information Security Auditor at KirkpatrickPrice, who brings over 25 years of experience in healthcare, IT, and security to the conversation. What does vulnerability management actually look like from an auditor’s perspective? Michael walks through how he approaches an audit, why organizations are often surprised by what they find in their own asset inventory, and what best practices actually look like when it comes to patching, prioritizing, and staying ahead of threats. Plus — his number one piece of advice for everyday people trying to protect themselves online. Spoiler: don’t click.
At KirkpatrickPrice, we’re on a mission to help 10,000 organizations raise the bar for cybersecurity and compliance. Join Our Cybersecurity Mission. If you’re going to invest in an audit, it should deliver real value. That’s why we partner with you from audit readiness to final report, ensuring you get the assurance you deserve.
Ready to strengthen your security and compliance posture? Connect with an expert today and learn how we can help you meet your toughest goals.
Send a Question
Do you have a question for our podcast? Send it to us here.