As we look at the fundamental pillars of information security, vulnerability management is certainly a cornerstone. Being such an important aspect of the information security program, it demands to be implemented as a top-down approach in any business or organization. It is also important to note that vulnerability management is not about simply running scans and deploying patches; rather, it often requires impactful changes in the way business is being conducted. This is why it is imperative to have leadership commitment.
Commitment from leadership is obtained as the result of many factors and the level of commitment received will vary wildly across the landscape. Businesses that deal in risk on a daily basis will tend to have a much higher risk tolerance while organizations such as hospitals, who tend to equate risk to patient harm, may have a much lower tolerance. Regardless of the situation, in order to effect change you must first convince the business there is a problem to solve. This may seem like an easy task when looking at something as basic as vulnerability management, one of the “ABCs” of security; but, you may be surprised. It is vital that you spell out the risks associated with the vulnerabilities while keeping the descriptions as simple as possible. Be brief, yet impactful.
Once leadership is committed to the fact there is a problem worth solving, you should then detail potential solutions to the problem. Keep in mind that doing nothing is an option. Due to this, you should always include the status quo in a side-by-side comparison with other proposed solutions. It is also vital that you remain completely transparent and be open and honest about business impacts that could be realized when going with one option over another. As information security professionals, it is our job to give leadership accurate information so they can make appropriate decisions when it comes to accepting or reducing risks. Don’t be afraid to list the cons of what you consider to be the “best” solution. It will build much needed trust as you move forward.
A good deal of what comprises typical vulnerability management are scans and patching. While it seems simple and straight forward, these exercises can cause business disruptions. If web browsers are being utilized as Graphic User Interfaces (GUIs) for internally developed applications, upgrading those browsers can cause users to be unable to access those applications. Upgrades to encryption versions must be a two-way handshake. If you upgrade a set of servers to the next Transport Layer Security (TLS) version, you must also upgrade anything with which they are required to communicate. Depending on the size and complexity of the network, this can be a daunting task, especially when causing disruptions can have immediate impacts on profitability, customer relations, business partner trust, etc.
Always remember that any choice made can come at a cost. From doing nothing to preventative measures of risk reduction, we should always strive for transparency. Nothing we do in Information Security is ever easy. Unless you work for a company specializing in Information Security, you are often an after-thought. When we do our jobs correctly, “nothing happens.” Over time you may have to be clever about the way you present risks and don’t be afraid to remind leadership why “nothing” has been happening.