How can Enterprises Stop Failing their Vulnerability Management Teams?
Everyone knows that CISOs are losing sleep over the dangers that vulnerabilities could potentially cause their businesses, and with good reason. But the problem goes beyond the continuous growth in vulnerabilities. All too often, enterprise security efforts suffer from at least one of the following problems:
- Difficulties in getting company-wide “buy in” for needed measures
- Lack of or misuse of proper tools for fighting vulnerabilities effectively
When an enterprise suffers from one or both of these issues, it is very difficult for vulnerability management teams to work effectively to improve their enterprise’s security posture.
Lead By Communicating
There are two primary reasons why vulnerability management teams don’t get the support they need from their company. First, there is often tension between security teams on one hand, and IT/DevOps teams on the other. These employees are under tremendous pressure as it is. For them, security measures are yet another obstacle.
Fortunately, there are solutions to this problem, including:
Developing a shared framework for vulnerability management by prioritizing vulnerabilities according to their actual risk, focusing on the ones that matter most. When the development team sees that you’re making an effort to only bring forward relevant vulnerabilities, they’ll understand that you respect their time. This process will build trust between the teams.
Speaking in IT/DevOps terminology: Phrase requirements in terms that make sense to the people who will implement the solutions and take into account their tools and methods. For example, don’t just send them a list of CVEs. Try and find ways to offer the most efficient solution possible instead of just showing up with the problem.
Quantifying using benchmarks: After getting IT/DevOps on board, it’s crucial that you be able to demonstrate where progress has been made. Therefore, setting security benchmarks in advance can help you make the case for integrating security into the development process.
In addition to tension between security and IT teams, many CISOs face a communication gap in the boardroom. Many times, CISOs aren’t able to put the technical risks and challenges that they face into business terms that the board members can understand. As Craig Moss notes, many business leaders get “lost in the technicalities of cybersecurity” and see “cybersecurity is an IT issue.” To overcome this and other communication gaps, he recommends speaking in the board’s language, explaining the business impact of not adopting certain methodologies and practices. The discussion should especially focus on the cost effectiveness of risk based security.
Bringing security and IT/DevOps teams together as well as communicating effectively with other managers are essential tasks for CISOs who want to improve an enterprise’s security.
Use the Right Tools
There are a lot of vulnerability management tools on the market, but all too often they suffer from the same problem: they focus on the wrong issues.
Most security and IT departments fix vulnerabilities according to the Common Vulnerability Scoring System (CVSS) scale, which assigns a numerical score and severity to each problem. However, these assessments measure only the theoretical laboratory danger of vulnerabilities, not the actual threat they pose in real networks. Naturally, the vulnerability tools offered to enterprises follow this methodology. This would be acceptable if that approach actually helped teams identify the most dangerous vulnerabilities for their system. But it doesn’t, and far too often “critical” issues don’t pose a real threat. This causes security teams to manually re-prioritize based on actual risk, which is time consuming and leads to unnecessary delays.
Enterprises need tools that focus on their specific network; making it visible and helping them prioritize which problems actually need to be fixed, and in what order.
Besides choosing the wrong tools, many enterprises make the mistake of not using automation often enough. Enterprise environments often require the same actions to be taken multiple times, in multiple locations. This takes time, and demands a constant level of focus. Without automation, this process can result in wasted time and errors as well as inconsistencies in patches and other fixes. Automation ensures that this is done efficiently and consistently. Automation is especially useful when there is a need to apply a set of fixes to one or more assets in a specific order. Even with the proper methodology, tools, and teamwork, failure to automate may create costly problems, including service disruptions and human errors.
Learn More to Overcome the Challenges
The challenges facing vulnerability teams are considerable. The number of vulnerabilities is growing, but there are internal issues within organizations that make this challenge even greater. Communication problems between security and IT and DevOps teams cause friction and other executives don’t fully understand a CISO’s concerns or contributions. The wrong tools are often chosen, and even when the correct ones are used , work is not as automated as it could be, leading to inefficiencies.
Fortunately, there are solutions to all of these problems. To give your vulnerability team the tools and approaches they need to succeed, download this whitepaper on free tools and repositories.