CISO Perspectives on Business Risk and Vulnerability Remediation

When security teams have to scramble between remediations, hoping to stay a step ahead of their hacker adversaries, high-level strategy is not a priority.

Gal Gonen | May 23, 2021

When security teams have to scramble between remediations, hoping to stay a step ahead of their hacker adversaries, high-level strategy is not a priority. That’s why Vulcan invited two security leaders to Remediation Summit 2020—Akamai CSO Andy Ellis and Levi’s deputy CISO Steve Zalewski—to share their perspectives on vulnerability remediation as a piece of the business risk picture.

Landscaping vulnerabilities with Andy Ellis

If you were managing threats to your lawn, what would your dashboard look like? A data point for each blade of grass? When there are weeds, crabgrass, nitrogen burns, and pests to worry about, Andy Ellis would have a hard time maintaining the property if he took that approach.

That’s why Ellis thinks of managing vulnerabilities a bit like landscaping: monitoring each blade of grass misses the point. It makes about as much sense to measure success in terms of patches completed, for example, as measuring grass trendlines keeps a lawn healthy.

Instead, IT and security teams should be positioned for the future by reaching a “design/change” level of proactive management.

4 vulnerability management positions

For Ellis, there are two important axes to keep in mind: proactive vs. reactive, and change vs. stability. A proactive stance foresees needs, rather than correcting mistakes. A stable system protects what works, while the opposite is about alterations to make improvements. 

Taken together, these axes create a quadrant with four components: recovery, repair, sustainment, and design/change. Reaching the best position requires understanding all four, which we’ll examine here:

1. Recovery

Being in a reactive stance and altering is the worst position to be in: incident response. A team in this position is managing imminent or realized risk, attempting to move from unsafe to safe. This type of fast, uncoordinated response is dangerous in complex systems, because it often breaks or impacts other functionalities.

One relevant example? SQL Slammer. Teams in a recovery position made abrupt changes and firewall rules to block the port it communicated through. As a result, at least one banking system found its ATMs shut down.

This position, which Ellis describes as dancing on the edge of danger, comes from an attitude of, “How little can I get done to avoid an incident?” It comes from failures in the repair game.

2. Repair

A company that is in the stable and reactive quadrant is in repair position. This is less dangerous than recovery because systems are safe, but this is not a good place for vulnerability management to live. Repair is best thought of as simply “defense against recovery,” or recovery waiting to happen.

3. Sustainment

Switching from reactive to proactive, we arrive at sustainment. Here, vulnerability management is focused on keeping systems stable. There are activities on the calendar, with patch management coming around once a month—simply put, the team is staying safe by steering around known environmental and marginal risks.

Remediation are taken care of in an orderly fashion, and work is routine. Since your team is not caught up in repairing a broken system or keeping it afloat in real time, it’s possible to make predictions.

When sustainment fails, the team drops back to repair, without proper orchestration.

4. Design/Change 

Finally, we arrive at the proactive and altering quadrant—this is where the vulnerability remediation function is steering around future business risk. We’re moving actively from a safe position to an even safer position.

Here, a team is positioned to minimize the sustainment activities needed to keep out of repair, and to minimize the repair work needed to keep out of recovery.

Interventions and business risk tolerance

At every level of IT management, your risk level is your boss’s point of intervention. In the Remediation Summit, Ellis presents two key questions to think about: 

  • Where do I intervene? 
  • Is my business risk tolerable?

Ultimately, these questions vary depending on the role and where dependencies sit:

System administrators need to know if they’re out of SLA and which remedies should be handled next.

Engineering VPs need to know who from their team isn’t remediating in a timely way and how that might impact the release pipeline.

CSOs care about which VP needs better guidance, because the release pipeline impacts whether SLAs are being met.

CEOs care about whether the process is working, because if SLAs are not met, there is a potential for missing real vulnerabilities.

Watch the full webinar video for a deeper dive into how these roles interplay. It’s only possible to achieve this level of orchestration with appropriate vulnerability remediation mechanisms—starting with the most risky, but eventually taking care of everything. This requires care, thought, and continuous remediation… just like landscaping.

CISO perspectives on business risk

Holistic vulnerability management drives resiliency, with Steve Zalewski and his cat

Steve Zalewski is deputy CISO at Levi’s. His cat is very interested in his work, as you’ll see when you watch the full Remediation Summit recording. From Zalewski’s “pawspective,” vulnerability is more about selling jeans than patch management.

What does that mean? Ultimately, the board is concerned about vulnerability remediation because an immature approach is a business risk.

For Zalewski, there are three top-level concerns at play:

  1. Protect the brand by protecting customer data and keeping their trust.
  2. Protect the Levi’s workforce from social engineering, phishing, and other attacks.
  3. Protect the third-party vendor ecosystem and all the risk that comes with it.

Presenting a dynamic defense, the Vulcan way

Ultimately, Zalewski’s goal is not a flawless record of preventing threats. Focusing on vulnerability remediation across 15,000 systems with hundreds of remedies a week? That is a losing strategy. For Levi’s, a dynamic defense is a holistic approach to vulnerability management that provides resilience to the business.

In other words, even if a piece of the business goes down, Zalewski and the rest of the Levi’s organization can deliver results while that piece is brought back up—with minimal impact on overall operations.

His goal is to continuously deliver business value and outcomes, in spite of attack. That means analyzing risks, mitigating the appropriate ones, and then managing the fleet.

Using machines to make intelligent decisions dynamically helps Levi’s automate its ability to withstand an attack. Levi’s partnership with Vulcan is about gaining the capacity to automate assessment and remediation to achieve high-level business operation goals and keep risks minimal.

Try Vulcan Free to see how your business can adopt a similar approach.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy