CISA and NIST compile ominous vulnerability reports

CISA and NIST are trusted sources for vulnerability information. But it's a mistake to rely on them exclusively for prioritization or risk mitigation efforts. Here's why their latest reports are nothing more than a good start.

Rhett | December 09, 2021

Last month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a new directive requiring federal agencies to patch known exploited vulnerabilities within specific timeframes. With this directive, CISA also published the Known Exploited Vulnerabilities Catalog. While a welcome move, these vulnerability reports are not enough on its own to change the cyber risk status quo plaguing our digital lives. 

Of course, it is always good to have CISA, with all of its weight and influence, shine a spotlight into the dark corner of our industry in hopes cyber security professionals will take action to proactively protect their organizations and businesses.

Vulnerabilities are going nowhere  

But cyber debt is the elephant in the room and we are having a hard time talking about it, much less doing something about it. And the debt and the elephant are growing year over year after TechRepublic reported, “The number of new security flaws recorded by NIST has already surpassed the total for 2020, the fifth record-breaking year in a row.” The NIST vulnerability count each year is additive and cumulative. These vulnerabilities don’t go away unless cyber teams do the work to eliminate whatever risk they may have posed to the business if they hadn’t been addressed or mitigated. 

Known vulnerabilities, when unmitigated, are crushing IT security teams under a massive pile of work necessary to drive cyber hygiene and reduce cyber risk. The industry is struggling to get ahead yet security teams must lead the conversation on cyber risk within their organizations, turning everyone involved in the risk mitigation process into risk owners. Cyber security processes must be efficient and proactive and focused on identifying and reducing cyber risk before it grows beyond teams’ control.

The CISA directive provides solid, yet generalized, guidance to cyber teams if they don’t know where to start. Even though CISA deadlines are somewhat arbitrary, the security window is continually shrinking meaning IT security teams only have days at most before we see bad actor exploits hit their targets. 

The case for custom prioritization

We highly recommend the Identification and prioritization of cyber risk specific to your organization, then implement an achievable plan to manage and mitigate the vulnerabilities that pose the most risk to the business. No doubt vulnerability remediation is a difficult, dirty job. If it weren’t, and our cyber hygiene as a whole were perfect, CISA wouldn’t bother us with a list of known vulnerabilities like this.

Organizations are often well-aware of the danger posed by mounting cyber risk. But effective steps to reduce risk across organizations can be difficult in the face of competing priorities and objectives such as application releases, development deadlines and production stability. With the growing need for cyber security being something of an inconvenience, efforts to reduce cyber risk are easily treated as lower priorities. 

But cyber security, like vulnerability remediation and mitigation, is a shared responsibility. It does not get done if vendors, IT and security teams are not on the same page and working toward the same goals. Enforcing cyber security isn’t easy. But these are the decisions cyber teams must make collaboratively with IT teams while considering the trade-offs between often-competing objectives.

Vulnerability reports are only a good start

And in terms of the private sector, organizations should be using this CISA catalog as a type of threat intelligence feed. Better yet, use the CISA catalog as a guide or a starting point to roll your own vulnerability prioritization effort to suit your unique business or organization.

But cyber security professionals must go beyond. Relying on external sources for prioritization can only go so far. The Vulcan Cyber risk management platform lets IT and security teams own all aspects of cyber risk mitigation. Check out Vulcan Free for more info. 

This blog is an expansion of our contribution to this article in DarkReading 

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy