Vulnerability Management Re-Visited

I know, boring topic. Just part of IT and Security operations. Nothing sexy here. It’s way more fun to think about how to beat those nasty, mean APT’s, how to detect malware actively on your network, how to do fancy risk management presentations.

But there are two things that are part of your reality, information security people, that make Threat & Vulnerability Management an imperative for you if you wish to succeed.

First, all the “basics” of security are part of the CISO’s “below the line” activity. Below the line activity is the activity that is just your job. The rest of your organization realizes it exists, realizes it is important and expects you to do it. The CEO does not care about your patching metrics, he or she just wants it done. If you fail at this and it leads to a major problem, your job is in serious jeopardy.

Second, because most organizations are not doing a particularly good job with vulnerability management (and therefore patching), the bad guys are exploiting you without having to work hard. At least 90% of all intrusions I do any research on turn out to have been achieved because known vulnerabilities were not patched. Even worse, those known vulnerabilities led to an attack path that reached critical assets that were of value to the attackers.

In other words, doing our “below the line” job is critical to protecting our organization. Yet most security and IT organizations have not patched the most basic vulnerabilities in their networks. And by doing so they place themselves at much higher risk as an organization and as individuals. Paul Proctor, Chief of Research for Gartner’s Security & Risk Management practice, has said that 80% of cyber security risk can be eliminated by security teams doing the basics well. Frankly, the current set of outcomes is making it very clear that only 20% of security teams are eliminating 80% of their risk.

If we want to change this, we in the information security community are going to need to focus on maturing our vulnerability management capabilities. We are going to need to outgrow our black and white approaches rooted in compliance, appreciate the fact that the world is fuzzy and unclear. It’s time to return to basics, but in a much more mature way. It’s time to build cross discipline processes that integrate activities in InfoSec and IT Ops. We need to patch based upon business context and risk, not PCI compliance.

Look for more from me on this topic over the next month or so. Meanwhile, start getting to it and patching stuff before the bad guys exploit it. And you.


About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in InfoSec, Risk Management, Security, Vulnerability Management and tagged , , , , , , . Bookmark the permalink.

1 Response to Vulnerability Management Re-Visited

  1. Pingback: What Is A Good Security Program? | Security, Cigars and FUD

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s