5 things every cio should know about vulnerability management · here are five things every cio...
TRANSCRIPT
5 Things Every CIO Should Know About
Vulnerability Management
CYBERSECURITY
MICROSERVICES
LEGACY SYSTEMSSHADOW IT
ATTACKER BEHAVIOR
SKILLS SHORTAGE
PRIVACY REGULATIONS
BUYER EXPECTATIONS
SERVERLESS
EXPANDING IoT USAGE
Where would modern enterprises be without the CIO?
As CIO, you’re expected to navigate diverse and constantly changing terrain. In
addition to helping grow your business and keeping costs down, you worry about all
that data and the assets, networks, and applications that house it. Protecting your
infrastructure and enterprise stack from cyber threats is a multi-faceted problem all
on its own. And as your organization grows, your attack surface grows with it.
Introduction
*While we recognize that organizational structures vary, to keep things simple in this
paper, we’re referencing Development, DevOps, and IT operations as simply “IT.”
In the face of all these responsibilities and challenges,
vulnerability management (VM) might strike you
as a small element of your operation—especially if
IT, Security and Development are separate from IT
operations in your organization.* Often it appears
that VM is just another technical debt, a routine task
Security manages and IT implements.
Managing vulnerabilities, however, is important not
just for security teams, but for all of IT. Security, it
turns out, is a team sport that requires cross-functional
collaboration to get right. And it’s worth getting right:
Vulnerabilities can leave your most strategic assets—
and your business itself—exposed to cyber threats that
evolve by the day. What’s more, a modern vulnerability
management operation benefits CIOs in multiple
ways—and can even help you become a more strategic
and effective force in the C-Suite.
Here are five things every CIO should know about vulnerability management.
of common vulnerabilities & exposures have been observed in organizations and exploited in the wild.
JUST
4%The average enterprise has millions of vulnerabilities.
Millions. No organization, no matter how well
resourced or efficient, can possibly fix them all.
The good news is that no organization really needs to.
That’s because not every vulnerability you find in your
environment poses a risk to your specific assets or
business. In fact, only 4% of all common vulnerabilities and exposures (CVEs) meet the critical criteria of being
both observed within organizations and known to be
exploited in the wild. In most enterprises, fewer than 4%
of vulnerabilities and weaknesses pose a legitimate risk.
So if you’ve ever wondered if all of that effort your
team is expending on remediation is helping fix the
vulnerabilities that matter most, you’ve probably
had good reason. Typical vulnerability scanners and
application assessment tools are useful for finding
potential exposures, but spitting out a massive list
that’s hundreds of pages long is little help to an already
time-strapped team. IT and development can’t fix all of
them, so which vulns should they address first? How
will they know which flaws pose the greatest risk to
your particular organization?
The truth is, without the right insights, they can’t.
Fortunately, adopting a risk-based approach to
vulnerability management solves this problem, and
many others.
Source: Taking the Pulse on Vulnerability Management
You don’t need to fix that entire list.1.
CUT TIME investigating
vulnerabilities IN HALF.
THE IMPACT OF RBVM:
Endless meetings debating which vulnerabilities to remediate? Persistent conflicts over priorities?
Source: TechValidate
55%of security
teams
This is hardly what you want from your IT, Security,
and DevOps teams. But when they are hobbled by
outdated tools and processes that can’t predict threats
or prioritize fixes, it’s what you often get.
Adopting a risk-based vulnerability management
(RBVM) approach solves this. The right RBVM solution
weighs multiple factors—not just the vulnerabilities
and the likelihood they’ll be weaponized, but also the
assets and applications you rely on—so your team has
the context necessary to focus on where you’re most
vulnerable today.
This risk-based approach helps your teams work
more efficiently. Now, they’ve not only released
Security from day-to-day burden of sending lists of
vulnerabilities to IT so they can devote more time to
more strategic tasks, but they no longer are battling
over what to do, and who will do it.
The right VM program can be vastly more efficient2.
“Risk” can mean different things to IT and Security, and
that difference can cause friction. For Security teams,
reducing risk often means patching all vulnerabilities
that may be weaponized—no matter their impact
on infrastructure operations or DevOps. For IT, risk
means anything that threatens your ability to deliver
for the business.
The two are often at odds. Indiscriminate patching, for
instance, can break processes or applications, restrict
availability, and threaten service level agreements
(SLAs). But ignoring the vulnerabilities that are (or are
likely to be) targeted by exploits could leave you open
to attacks that could end up hurting your business,
operations and brand.
The best way to reduce risk for Security and IT both is
to have a shared language around risk—and a risk-
based approach that measures the real likelihood
that an exploit will target the vulnerabilities that
are of high risk in your particular environment.
That way, your Security team can produce reports
that IT management will understand. And because
you’re not swimming through hundreds of “critical”
vulnerabilities, it’s easier to weigh proposed
remediations against the risk that a patch or rewritten
application code may cause downtime or other
problems—and then identify exemptions where they
make sense.
The result? Not only is your RBVM program more
efficient, but it serves everyone better: Security is
protecting your data, applications, and assets—and IT is
protecting its ability to meet the needs of the business.
Adopting a risk-based approach will reduce risk for Security & IT. 3.
How Can You Reconcile the Different Definitions of Risk?
SECURITYZero breaches
ITNo downtime, Meet SLAs Focus on high-risk
vulnerabilities first
The best way to reduce risk for Security and IT both is to have a
shared language around risk.
You want your limited resources focused on the most important and
strategic work at hand. A data-driven approach puts you there.
The persistent disconnect between Security and IT has
frequently caused Security to feel unsupported by IT,
and IT to feel pressured (even bullied) by Security.
None of this is necessary, and it certainly doesn’t help
you run a tight, results-oriented IT ship.
The truth is, as CIO, you want to be in the driver’s seat.
You want to make sure your IT teams are meeting SLAs
while Security is keeping data, assets, and applications
safe. You want your limited resources focused on the
most important and strategic work at hand. A data-
driven approach puts you there.
A modern RBVM program takes the guesswork out of
vulnerability management. It’s based on mountains of
contextual data—real-time external intel combined
with data about your unique IT environment—that
shows you not only what exposures you have, but
what they mean to your organization. With an RBVM
program based on incontrovertible evidence that
is automatically shared across teams, both IT and
Security immediately understand where to put their
efforts. Roles are clarified. And Security is no longer
telling IT what to do, because IT now has a self-serve
environment that cuts through the clutter and keeps
priorities aligned.
Now you can fully take IT risk into account—and the
collaboration with Security is better than ever before.
Suddenly, something new emerges in the relationship
between the two teams: shared trust.
That’s what happens when a data-driven, self-serve
RBVM environment puts you in control.
You want to be in the driver’s seat. A data-driven approach will put you there. 4.
What Does a Data-Driven, Self-Serve RBVM Program Look Like?
External & internal data gathered & analyzed
RBVM algorithms align threats with vulns & prioritize fixes
Security issues reports IT managers can understand
IT managers weigh remediation against IT risk
Once you’re driving, you can explore alternate mitigation approaches for vulnerabilities you can’t fix.
It’s not always possible to fix every high-risk
vulnerability the moment you discover it. Sometimes,
the vulnerability sits at the heart of a mission-critical
application or customer-facing web service where any
downtime is unacceptable.
Other times, it might be located on devices that are
impossible to patch, or that require your DevOps team
to write it themselves.
5.
High Risk — High Effort High Risk — Medium Effort High Risk — Low Effort
Medium Risk — High Effort Medium Risk — Medium Effort Medium Risk — Low Effort
Low Risk — High Effort Low Risk — Medium Effort Low Risk — Low Effort
HIGH EFFORT LOW EFFORT
HIG
H R
ISK
LOW
RIS
K
When you’re in control of your vulnerability
management process, you can decide what’s
important to fix now, while determining a schedule for
remediating other vulns over time. You can also come
up with alternate mitigation strategies for remediating
those hard-to-fix vulnerabilities.
And when IT and Security are aligned on priorities,
there’s little to argue about.
With IT in the driver’s seat of a risk-based approach
to vulnerability management, you’ll have much more
control over evaluating the risk versus the reward of
remediation efforts. And most importantly of all, you’ll
have all your teams working in tandem to reduce your
overall risk profile.
To Remediate or Not to Remediate? Weighing Risk vs. Effort
What’s next? Talk to your CISO.With cybersecurity efforts requiring more attention and budget, there’s no better time to
talk with your CISO about taking a risk-based approach to vulnerability management. Why?
Because with an RBVM environment, you can:
The future of vulnerability management is risk-based.
Leading industry analysts agree: The days of blindly, manually chasing vulnerabilities are over.
The future will be increasingly defined by meaningful prioritization and metrics business
leaders can understand. And it will be characterized, finally, by an efficient, amicable process
that puts CIOs in the driver’s seat.
To learn more about aligning your organization around risk, visit
www.kennasecurity.com
Kenna and Kenna Security are trademarks and/or registered trademarks of Kenna Security, Inc. and/or its subsidiaries in the United States and/or other
countries. © 2020 Kenna Security, Inc. All rights reserved.
Learn more about RBVM.
The Future of Vulnerability Management is Risk-Based, featuring research from
Gartner.
Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies,
featuring research from the
Cyentia Institute.
Distinguishing Common Practices from Best Practices in Vulnerability Management, on-demand webinar featuring
research from the Cyentia
Institute.
Lower risk for both IT and Security
Focus on the risks that matter most
Build shared trust between your teams
Create a self-service, data-driven environment that prevents turf wars
Create efficiencies by eliminating disputes and aligning priorities