The Truth About Vulnerability Management

By Jody S. Hawkins, CISSP, National General Insurance

Jody S. Hawkins, CISSP, National General Insurance

As we look at the fundamental pillars of information security, vulnerability management is certainly a cornerstone. Being such an important aspect of the information security program, it demands to be implemented as a top-down approach in any business or organization. It is also important to note that vulnerability management is not about simply running scans and deploying patches; rather, it often requires impactful changes in the way business is being conducted. This is why it is imperative to have leadership commitment.

Commitment from leadership is obtained as the result of many factors and the level of commitment received will vary wildly across the landscape. Businesses that deal in risk on a daily basis will tend to have a much higher risk tolerance while organizations such as hospitals, who tend to equate risk to patient harm, may have a much lower tolerance. Regardless of the situation, in order to effect change you must first convince the business there is a problem to solve. This may seem like an easy task when looking at something as basic as vulnerability management, one of the “ABCs” of security; but, you may be surprised. It is vital that you spell out the risks associated with the vulnerabilities while keeping the descriptions as simple as possible. Be brief, yet impactful.

Once leadership is committed to the fact there is a problem worth solving, you should then detail potential solutions to the problem. Keep in mind that doing nothing is an option. Due to this, you should always include the status quo in a side-by-side comparison with other proposed solutions. It is also vital that you remain completely transparent and be open and honest about business impacts that could be realized when going with one option over another. As information security professionals, it is our job to give leadership accurate information so they can make appropriate decisions when it comes to accepting or reducing risks. Don’t be afraid to list the cons of what you consider to be the “best” solution. It will build much needed trust as you move forward.

A good deal of what comprises typical vulnerability management are scans and patching. While it seems simple and straight forward, these exercises can cause business disruptions. If web browsers are being utilized as Graphic User Interfaces (GUIs) for internally developed applications, upgrading those browsers can cause users to be unable to access those applications. Upgrades to encryption versions must be a two-way handshake. If you upgrade a set of servers to the next Transport Layer Security (TLS) version, you must also upgrade anything with which they are required to communicate. Depending on the size and complexity of the network, this can be a daunting task, especially when causing disruptions can have immediate impacts on profitability, customer relations, business partner trust, etc.

Always remember that any choice made can come at a cost. From doing nothing to preventative measures of risk reduction, we should always strive for transparency. Nothing we do in Information Security is ever easy. Unless you work for a company specializing in Information Security, you are often an after-thought. When we do our jobs correctly, “nothing happens.” Over time you may have to be clever about the way you present risks and don’t be afraid to remind leadership why “nothing” has been happening.

Weekly Brief

Read Also

IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
In a Crisis: Cold Talent Automation versus Warm Talent Key Success Factors

In a Crisis: Cold Talent Automation versus Warm Talent Key Success...

Rob Hornbuckle, CISSP - ISSMP, CISM, CRISC, CISO and VP, Allegiant Travel Company
Supporting Business with the Right Technology

Supporting Business with the Right Technology

Andy Jurczyk, CIO, Seyfarth Shaw LLP