Managing vulnerabilities should not only be the responsibility of the security team as it also requires an all-round team effort. Stephen Roostan, VP EMEA at Kenna Security, explains how CIOs and their teams should focus on five core tactical priorities.
CIOs work against the backdrop of constantly shifting priorities. Not only must they help their organisations to grow and succeed, but they must also deal with a plethora of technology challenges with limited budgets and constant pressure to deliver. For example, protecting IT infrastructure and the enterprise stack from cyberthreats is a multifaceted issue all on its own.
But despite these responsibilities, Vulnerability Management (VM) is often quite low down on the list of CIO worries or is often viewed as something that the security team owns but passes over to the IT teams to fix. However, managing vulnerabilities is not only the responsibility of the security team, but it also requires an all-round team effort, based on cross-functional collaboration across the organisation and backed by intelligent technology tools. In particular, CIOs and their teams should rely on five core tactical priorities:
- Don’t try to fix everything
It’s no exaggeration to say that the average enterprise will have millions of Common Vulnerabilities and Exposures (CVEs). The sheer scale of the issue means that no organisation, no matter how well determined or effective in its approach, can possibly deal with them all. Fortunately, not every vulnerability poses a specific risk to data, digital assets or the organisation in general, so many of them don’t need to be actively addressed.
In practical terms, less than 5% of all CVEs pose a legitimate risk in that they are both observed within organisations and known to be exploited by ‘bad actors’. The problem is that many IT and security teams expend considerable effort in trying to fix vulnerabilities that actually pose no risk. While many scanners and application assessment tools are useful for finding potential exposures, the huge lists they often produce can be extremely counterproductive in isolating those that actually matter. How, for instance, do they assess which pose the greatest risk across an organisation’s own unique IT environment? IT and development can’t possibly fix all of them, so which should be addressed first?
Adopting a risk-based approach that provides the right insights tuned to each business means IT doesn’t have to try fixing absolutely everything.
- Focus on efficiency
Anybody with experience of Vulnerability Management may be familiar with the seemingly endless meetings required to decide which risks to remediate. The conflict this creates can also stand in the way of efficient IT, Security and DevOps teams, and outdated tools and processes that can’t assimilate all the incoming vulnerability data or accurately prioritise fixes only adds to the sense of inertia.
Determining the specific level of risk for each asset or application involves a vast amount of data. Billions of data points must be correlated and analysed to provide the context necessary to understand the true risk that an asset faces. This is no task for humans. Whereas combining data science and Machine Learning in real-time with a Risk-Based Vulnerability Management (RBVM) approach balances multiple issues – from the relative importance of vulnerabilities and the likelihood they’ll be weaponised, to their potential impact on assets and applications. This releases security teams from the daily overhead of providing huge lists of vulnerabilities to IT, who in turn, can concentrate on the top fixes which frees up time to work on more strategic tasks in a valuable win-win for all stakeholders in the VM process.
- Adopt a common definition of ‘risk’
Across the varied IT functions, risk can mean different things to different teams. In security, for example, it often means reducing risk by increasing the volume of patching across vulnerabilities that may be weaponised, even if that causes complications for those working across other functions. Yet, for core IT teams, reducing risk refers to issues that might impact their ability to deliver services to the organisation and its customers.
These two perspectives can often be incompatible, with emphasis on security impacting the workload of the remediation and dev teams. However, adopting a common definition or shared language around risk can help all stakeholders to assess the real likelihood that an exploit will impact high risk vulnerabilities. Not only does this ensure that RBVM programmes are more efficient, but it balances effort more effectively: security provides accurate, timely analysis that enables IT to prioritise remediation alongside meeting the business needs of the organisation.
- Take control
A remediation strategy that emphasises effective prioritisation builds a team ethic where everyone involved can trust each other and take control of vulnerability management, instead of clashing. The data-driven approach offered by the best RBVM programs takes large volumes of real-time external intelligence and combines it with contextual information unique to each IT environment. This reveals not only where vulnerabilities currently exist, but what their specific impact might be within each organisation. By using incontrovertible evidence that can be automatically shared across relevant stakeholders, both security and IT fully understand where to put their time and effort.
- Embrace agility
It’s not always possible to fix every high-risk vulnerability the instant that it’s discovered. However, organisations must be able to recognise and fix vulnerabilities which sit at the heart of a mission-critical application or customer-facing service to avoid downtime.
This is when organisational agility comes into play. Those teams that are in control of their VM strategy and processes are in a much better position to decide what’s important to fix now, while determining a plan for remediating other vulnerabilities over time. They are also very well placed to implement alternative mitigation strategies for remediating hard-to-fix vulnerabilities when urgency is required.
For many organisations, Risk-Based Vulnerability Management (RBVM) is thankfully delivering an antidote to the ineffective manual processes that have stymied the wider efforts of so many IT teams. By viewing the challenges as a technology-enabled team effort, organisations are able to meet future vulnerabilities head-on and with the confidence that they can focus on the right priorities at the right time.
The future of RBVM will be increasingly defined by meaningful metrics that business leaders can appreciate and will be underpinned by a data-driven process that promotes shared trust between IT and Security.
Click below to share this article