Why is Vulnerability Management so difficult for laypeople to understand?
Why does it seem impossible for IT teams to gain leadership support for a standard, repeatable, operational process?
What is the barrier to reporting vulnerability management metrics to our executive board’s in a clear, and concise manner?
In today’s world of constant Cybercrime attempts, having a foundational process in place to ensure computer systems are up to date and maintained with current patch levels is an absolute must. The challenge most organizations face can be summed up into the following categories: resources, priorities, business alignment, and maintaining a simple, repetitive, operational process.
Vulnerability – the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.
This rather generic dictionary definition of vulnerability holds true; even in the logical world of computer systems. We do not have to dive deeper into a cybersecurity-specific definition to understand that vulnerability simply means exposure. No one likes being exposed, nor should we like our companies being exposed.
Protecting your organization and individuals from vulnerability is somewhat analogous to tending a garden. Each act requires the basics of continued care and frequent fertilization. While pulling weeds from a garden is definitely not glamorous, neither is ensuring your computer systems continually remain updated, current, and patched. Both tasks require ongoing attention to be effectively and successfully maintained. They require effort, progress-monitoring, and at times, a strategy to keep control over pests and uninvited invaders. Lastly, each requires a well-thought-out plan for times when you are not focused on the task. If you go on holiday and leave your plants unattended, there will be most assuredly be weeds waiting upon your return. If your teams do not maintain a repeatable, ongoing, operational process for patching systems there will be an increase in vulnerabilities.
Also worth noting, cloud based systems are not immune to vulnerability. When adopting cloud solutions, foundational planning should be put in place to ensure the team has an understanding of specific roles and responsibilities across your company. The main focus of this understanding is to reduce any oversight of who is actually accountable to maintain elements in the cloud solution: the cloud provider, IT and cybersecurity teams, businesses… This blog site is a good example as it is cloud based; however, not all components are fully managed by the cloud provider. Certain elements require my direct care and attention to keep it current, patched, and healthy.
“There is an inherent yin and yang associated with the vulnerability management lifecycle.” ~John Graham
Exposing the challenges and risks associated with vulnerability management to company executives and board members can be daunting. There is an inherent yin and yang associated with the vulnerability management lifecycle. The infrastructure and IT teams try, although perhaps in vain, to encourage business leaders to allow system downtime for patching activities. This can create numerous lengthy and unnecessary debates; driving cybersecurity teams to work on complex algorithms while attempting to rank systems or prioritize order for how to address each patch. Unless your organization is segmenting systems based specifically on regulatory requirements, critical and very specific data sets or specific transaction volume-based processing, that working through this highly granular scheme of system prioritization to reach group consensus on a patching priority can take the focus off the basic operational process. These efforts lead to team distraction and increases administrative costs. Moreover, the end-result is not typically as positive as being pragmatic and ensuring a solid, basic process is in place. Just like with pulling weeds in your garden, it’s a basic, ongoing effort to address all of the weeds. Unfortunately, this struggle is real for many organizations all over the world. This battle produces delays in remediating vulnerabilities, leading to major financial losses caused by cybercriminals exploits.
Experienced business leaders are comfortable with taking risks, as this is a fundamental skill in creating successful businesses. These leaders look to a variety of sources of information to help form solid decisions; balancing risk with reward. The CISOs challenges in sharing information regarding vulnerability management is to convey the message using terms that are easily understood by a non-IT audience, to add support to their decision-making personnel and information pool, and to work cohesively to reduce risk company-wide. Additionally, business leaders are often unfamiliar with IT terminology, the positive impact of interdisciplinary communication, and how to create and maintain a standard, secure and repeatable process.
There are vast numbers of research papers, complex formulas, large-scale examples, and working groups focused on vulnerabilities. Experience and training have shaped my opinion that basic, pragmatic, collaborative steps in vulnerability management can be highly successful in any setting. As I see it, we currently have 3 pertinent fundamental metrics regarding the effectiveness of vulnerability management:
- Speed to effectively patch ‘all’ systems when a critical event occurs,
- Consistency of ongoing, repetitive patching and
- Visibility vs. visibility-gaps in identifying vulnerabilities within your company.
First, speed to effectively patch all systems when a critical event occurs – fairly straight forward; however, do not “cry wolf” when utilizing this process. This should used be when the severity truly is at the absolute top tier (use any criticality/impact score you’d like). The goal here is to rally all teams, third parties, etc. involved to run a full-on sprint to the finish line with a specific patch set addressing a vulnerability. The key to success here is keeping your sight on the finish line (visibility of all systems) while maintaining focus at full throttle through completion of the process. Your metric is simple. How long did it take from beginning to end to patch all systems? This effort should occur within hours, not days, in any company regardless of its size. However, the operational process standards, to include automation, should be aligned to the size and scale of your company. This is a clear, simple metric that board members can easily understand, and executive leaders can support. Collaboration across teams, a high-level playbook, testing through tabletops – can all be solid, supporting activities to achieving a repeatable response in hours.
Next, examine the consistency of ongoing, repetitive patching. New vulnerabilities are identified and reported daily. This is coupled with an ongoing set of new and revised exploits in the wild. The belief that any company will get to zero vulnerabilities across their systems is simply not a realistic goal. Teams should align and collaborate on basic, repetitive, operational patching goals across all systems. Our current model is one where CVE score critical vulnerabilities are to be patched within 30 days and CVE score high vulnerabilities are to be patched within 60 days. We are not looking for zero vulnerabilities, we are however looking for consistent, repetitive cycles of patching as fundamental baseline across the enterprise. Again, the metric is simple: trending in vulnerabilities should show the teams are holding the line steady against newly identified vulnerabilities, a backlog of any known vulnerabilities should consistently trend line down, and a new vulnerability line should show incoming spike, with knock down as patches are applied, over and over (heartbeat). The measure should include a clear view of the consistency in the processes across the teams involved with slow steady, accurate execution of applying patches and updates.
Lastly, what are the visibility vs. visibility gaps identifying vulnerabilities within your company? Systems come and go, mergers and acquisitions, new cloud services, legacy equipment brought out of the closet, new network segment stood up by a business unit… all of these factors contribute to the continued ebb and flow of any company’s technology ecosystem. A constant battle of any vulnerability program is maintaining visibility of the whole ecosystem across a company. The operational process of “looking for the unknown” should always be a part of any successful vulnerability management program. In its most basic form this can be achieved through scanning, research, internal processes, governance, and at times, just plain hunting, in order to constantly footprint your company. Although some companies have a solid governance-based culture, there are very few companies positioned to “catch it all” in terms of governance processes, meant to ensure nothing is newly installed without registration. Additionally, this level of control over business processes needing new technology can be costly, both in administrative overhead, as well as in political standing, as a business may work harder to ‘get around’ the governance. As well, our new world of cloud based services has radically changed the speed and ease required for a business process to be digitally transformed with or without governance. Cybersecurity teams simply must include constant checks and balances of trust in their ongoing vulnerability management process, but they also must work to verify what makes up systems across the company. This will not be resolved quickly or easily. As cybersecurity professionals, we should look to add value to our business partners, and not be viewed as limiting their speed. Again, the easily digestible discussion point with senior leaders and board members in any company is this: We need clear visibility in order to assure risk reduction regarding cybersecurity vulnerabilities. The metric should not be seen as complex. Simply showing month over month how much “new” has been discovered can assist in highlighting the discussion and demonstrate value in lightweight registration processes. Remember the goal: maintaining repetitive process, showing results, and minimizing surprises across the company. Regardless of whether you believe a business should, or should not stand up the latest cloud SaaS tool to support their business process, it’s our job to help minimize the risk this tool presents when it is not maintained going forward.
To summarize, vulnerability management does not need to be complex. It can be addressed in a collaborative, pragmatic way. Consistency and communication are key. Also essential is sharing basic metrics with senior executives and board members to aid in their understanding of how this foundational element reduces cybersecurity risk across the organization. If your current IT program is not making the forward movement you expect, take a break, go back to basics, and restart the foundational elements covered above. It can be done successfully in any size organization.
John W. Graham
Copyright 2004-2019 Securing Reality, LLC
John W Graham.
All Rights Reserved
Post Editor: Renee Palmer.