When I was first assigned to manage Tenable, the only instruction I received was to βmake it work.β There was no established process, asset inventory, or guidance. I decided not just to make it work β but to build a mature, automated, and audit-ready Vulnerability Management program from the ground up.
1. Discovery and Research
I began by collaborating with the Platform team to map out our entire GCP environment β projects, networks, VMs, clusters, and external IPs. I then explored the full Tenable feature set under our license and integrated Cloud Connectors for automatic asset discovery. My research also covered PCI DSS 4.x requirements for authenticated and external scans, which became the foundation of our compliance approach.
2. Process Design and Implementation
I designed and documented a full scanning and remediation process aligned with our Vulnerability Management Policy and Change Management Policy:
-
Scheduled Scans: Monthly internal authenticated, external, GCP CIS, and GKE CIS scans with SLAs tied to PCI DSS.
-
On-Demand Scans: After significant infrastructure or application changes.
-
Remediation Workflow: Findings triggered Jira tickets to the Platform team, followed by validation rescans and evidence storage for audits.
3. Automation and Scaling
As the environment grew, manual target management became error-prone. I developed an automated target acquisition system using:
-
A Python Cloud Function that lists current IPs and FQDNs via gcloud commands and updates Tenable via API.
-
A Terraform module (my first!) to deploy and manage the Cloud Function across projects.
This system eliminated human error, saved hundreds of work hours, and ensured every asset was always scanned on schedule β a critical control for PCI DSS and ISO 27001.
4. Security and Compliance Enhancements
To prepare for DORA compliance, I introduced:
-
Quarterly SSH key rotation for authenticated scans using an Ansible playbook triggered via GitLab CI/CD.
-
Quarterly Service Account key rotation using GCPβs built-in mechanisms.
-
Principle of Least Privilege applied to all Service Accounts and automation components.
5. Results and Impact
The result was a self-sustaining, compliant, and auditable Vulnerability Management system:
-
Fully automated scan targeting and credential rotation.
-
Reliable results and traceable remediation.
-
Alignment with PCI DSS, ISO 27001, and DORA requirements.
-
Minimal operational overhead with high assurance.
This project taught me to combine security operations, automation, and compliance into a cohesive program β and it remains in production today as one of the most stable and auditable parts of the companyβs security framework.