Solicit input from the various functional groups within your organization about issues such as the right times of day to carry out scans and which processes can't be interrupted.
4. Make sure you have the skills in place to leverage scanning technology. It's important to have inside experts to interpret scanning results, Wang says. "Many scanners yield many pages of results, and it takes experts days to go through the results," she says. "It is critical to have such expertise in-house."
Even if you're the person or group that "owns" the vulnerability scanning function, "if you work at a company of any size, you probably don't have comprehensive knowledge of every nook and cranny on that network, what applications are running and when, what kind of data is being managed and so on," Roberts says.
5. Make scanning an ongoing activity. "Just starting a [vulnerability] scanning program in itself isn't going to solve your security problems or make your IT organization more efficient," Roberts says "In fact, in the short term it's going to give you a lot of new data and responsibilities to manage."
Over time, companies might need to tweak and refine scans to get the reports they need. "The visibility [scanning] will give you into your network-what hosts are running, their relative value and what their security posture is-will make it much easier for you to assess the overall security of your organization and to design programs and processes to address real versus perceived problems."
Sign up for Computerworld eNewsletters.