Your organization is most likely spending a lot of effort in finding and fixing vulnerabilities, but the problem is that you or your team just can’t seem to keep up with.
You will soon find out that your approach to vulnerability management does not work. Creating vulnerability reports, attending vulnerability review meetings, opening tickets to patch vulnerabilities, validating fixes and patches, etc. takes too much time, energy, and head-banging, but nothing seems to make any difference to your company and the number of vulnerabilities it is facing. Why?
You will soon find out that your approach to vulnerability management does not work. Creating vulnerability reports, attending vulnerability review meetings, opening tickets to patch vulnerabilities, validating fixes and patches, etc. takes too much time, energy, and head-banging, but nothing seems to make any difference to your company and the number of vulnerabilities it is facing. Why?
Because you will have something like 1,000+ existing security vulnerabilities in your systems, right? Or is it closer to 10,000? 100,000? Does the number even matter?
You are sure to be overwhelmed with alerts from your vulnerability scanners…
Even if you change and improve the format and frequency of your reports, nothing much is gained. The problem you are facing is that: Vulnerability reports, even good vulnerability reports, are being ignored.
1. WHY don’t years of vulnerability reports make a dent in the overall number of vulnerabilities you face all the time?
2. WHY do your teams take a low-priority approach to fixing critical security vulnerabilities?
3. WHY do they struggle to garner support and momentum for security activities?
The short answer to these questions is :
The vulnerability management problem, and by extension, InfoSec policy, budgeting, and executive-support problems, are largely symptomatic of an ineffective, incomplete, and unsupported approach to 'Information Security Governance'.
In terms of vulnerability management, you would often see the application of individual vulnerability scanners and projects in various parts of your organization. But the truly effective vulnerability management program operates at a higher level.
An effective vulnerability management program continually monitors, analyzes, and assesses RISK, wrapping its arms around security weaknesses and shining a light on exposures that can negatively impact the enterprise.
With this expanded scope and visibility, the vulnerability management program needs to be FULLY supported by C-Suite level executives to throughout your organisation. It should be aligned with high-level strategies of your company, and integrated with core elements of the business itself. The program should also include a steering committee that draws members from all parts of the organization, to ensure cross functional support and alignment.
A well-run vulnerability management program is the foundation that supports the organization’s cybersecurity posture, agility, and cyber-resilience. It is also the infrastructure that makes truly great vulnerability management possible.
But the MOST important of these is support at the executive board-level.
In theory, everything mentioned above is okay, but practically it seems impossible. Right?
-
There is still A LOT YOU CAN DO ABOUT…Fortunately, even without initial executive-level support!
• Asset Management With Risk-Based Approach
You can quantify business criticality as potential dollars lost in infrastructure systems and business applications to accurately prioritize Information Security activities and initiatives. And you must do it with RISK-based approach. If you do that, then your vulnerability reports will correlate security vulnerabilities to business dollars making it hard to ignore by anyone…
• Baseline Configuration Management
You can also provide a set of gold-standard, frequently-updated and patched 'Baseline Configurations' for all or new platform/OS images, your common infrastructure, and important business applications. It will reduce the number of known or previously-patched security vulnerabilities in development, test, and production environments. If you do this, then your vulnerability reports will display the number of existing systems/applications which are “out of baseline” , instead of the number of open security vulnerabilities (CVEs) on all systems.
• Vendor (External Supplier) Security Risk Management
You can identify, assess, and manage the security risks which are associated with vendors during the proof of concept, procurement, and actual integration phases to determine the level of support required by the external vendor as well as the terms and conditions needed upon during purchasing. If you do that, then your vulnerability reports will separate vulnerabilities based on third-party applications and infrastructure components, versus, internally-created and managed vulnerabilities. This would provide you another level of granularity to the vulnerability-prioritization process.
-
When you undertake these 3 simple tactical actions – Asset management with Risk Based Approach, Baseline Configuration management, and Vendor Management, then you will be, even if you have a small InfoSec team, able to focus your immediate energy on high-priority vulnerabilities.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
If you are truly interested in reading more of such high-quality posts on cybersecurity, you can always let me know by leaving your comments.
But the MOST important of these is support at the executive board-level.
In theory, everything mentioned above is okay, but practically it seems impossible. Right?
-
There is still A LOT YOU CAN DO ABOUT…Fortunately, even without initial executive-level support!
• Asset Management With Risk-Based Approach
You can quantify business criticality as potential dollars lost in infrastructure systems and business applications to accurately prioritize Information Security activities and initiatives. And you must do it with RISK-based approach. If you do that, then your vulnerability reports will correlate security vulnerabilities to business dollars making it hard to ignore by anyone…
• Baseline Configuration Management
You can also provide a set of gold-standard, frequently-updated and patched 'Baseline Configurations' for all or new platform/OS images, your common infrastructure, and important business applications. It will reduce the number of known or previously-patched security vulnerabilities in development, test, and production environments. If you do this, then your vulnerability reports will display the number of existing systems/applications which are “out of baseline” , instead of the number of open security vulnerabilities (CVEs) on all systems.
• Vendor (External Supplier) Security Risk Management
You can identify, assess, and manage the security risks which are associated with vendors during the proof of concept, procurement, and actual integration phases to determine the level of support required by the external vendor as well as the terms and conditions needed upon during purchasing. If you do that, then your vulnerability reports will separate vulnerabilities based on third-party applications and infrastructure components, versus, internally-created and managed vulnerabilities. This would provide you another level of granularity to the vulnerability-prioritization process.
-
When you undertake these 3 simple tactical actions – Asset management with Risk Based Approach, Baseline Configuration management, and Vendor Management, then you will be, even if you have a small InfoSec team, able to focus your immediate energy on high-priority vulnerabilities.
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.If you are truly interested in reading more of such high-quality posts on cybersecurity, you can always let me know by leaving your comments.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM