Creating a mature vulnerability management program to sell more jeans
Vulnerability management programs exist to drive desired business outcomes. Period. In the case of Levi Strauss & Co. the desired business outcome is to sell more of the world’s original jeans. Last week it was my privilege to host a webcast with Steve Zalewski, Levi Strauss & Co. deputy CISO, to discuss what keeps him and his security team up at night as they work diligently to sell more jeans.
For Steve the priority is to reduce business risk. More than zero trust or even hybrid cloud security, vulnerability remediation (not just vulnerability management) tops his list of security programs that must be done right. A mature vulnerability management that drives remediation outcomes, not just excel spreadsheets full of hundreds of vulnerabilities, is his secret to supporting Levi’s business outcomes and, of course, reduce business risk.
Running information security for one of the largest retail and consumer brands in the world involves protecting a large, diverse attack surface. Steve provided a sense of the scale of the challenge and made it very clear that it isn’t only about protecting the brand…although this is his top priority. He and his team must also protect the Levi’s workforce and their partner ecosystem. Steve comments in the webcast about each attack vector:
- The brand: The brand is the top priority, specifically he and his team must protect Levi’s customer and corporate information where ever it lives.
- The workforce: The people are a gateway to corporate assets, and as such are a top target for attackers. Steve and team must protect the Levi’s workforce to protect the brand and its information assets.
- The partner ecosystem: The majority of Levi’s information security incidents in the last two years were caused by partners. That’s tricky.
- Tune into the webcast to hear Steve talk about he solves this challenge through a dual approach to cyber maturity and cyber resiliency, and learn how mature vulnerability management supports both initiatives.
Steve was joined on the webcast by Vulcan Cyber CEO, Yaniv Bar-Dayan, as they talked about the Vulcan maturity model for vulnerability remediation which is designed to move security and IT operations teams from reactive to data-driven, from orchestrated to transformed vulnerability management programs.
Potentially a bigger issue than the actual maturity of enterprise vulnerability management programs is the false perception of maturity. We recently surveyed more than 120 IT and security executives about their programs and surprisingly 84% of respondents felt their programs were mature. But a deeper dive revealed a major disconnect between perception and reality.
Yaniv said, “We already know most enterprise vulnerability management programs are immature. We see it every day in the field. We mapped the survey results against our maturity model to helping IT leaders shift their focus from simply managing vulnerabilities to actual remediation. What caught us off guard was that the vast majority of respondents felt their programs were already mature. Given the amount of breaches caused by known, unpatched vulnerabilities, we discovered a surprising disconnect that merits a closer look.”
Get the survey details and the full vulnerability remediation maturity model eBook here. Here’s an excerpt from the eBook that defines stage 1 versus stage 2 and outlines what it takes to move from a reactive to a data-driven vulnerability management program:
Level 1 – Reactive vulnerability scanning
The vast majority of organizations are at Level 1. As the poll above suggests, while the majority of participants trust their vulnerability scanning capabilities, when it comes to deriving insights or actionable steps from these scan results, most programs come short. In many cases, each team works in its own silo, juggling its own fragmented scanning and management stack. For example, the security team manages a collection of technology specific scanners for its cloud infrastructure, on-premises infrastructure, static code, open source code, and so on. Each tool looks for specific types of vulnerabilities and operates within its own unique frame of reference including risk management, false positive rates, and urgency levels. There is often a lot of duplication across the different scanners.
At this maturity level, an enterprise’s vulnerability management program is tactical. With no cross-organizational visibility across workflows and policies, effective risk-based vulnerability triage is close to impossible. As a result, vulnerabilities are assessed on a case-by-case basis, and remediation is reactive.
Level 2 – Data-driven vulnerability management
In Level 2, the enterprise security team and its allies have learned to normalize the diverse scanner outputs and enrich them with other internal and external data streams in order to derive actionable, prioritized vulnerability insights. The security team’s data-driven, strategic vulnerability decisions are now based on a real-time understanding of asset status and criticality, compliance requirements, and threat intelligence.
Listen to this webcast and learn from Steve and Yaniv how to get your vulnerability management program moving towards vulnerability remediation outcomes and supporting a more secure business.