I know, boring topic. Just part of IT and Security operations. Nothing sexy here. It’s way more fun to think about how to beat those nasty, mean APT’s, how to detect malware actively on your network, how to do fancy risk management presentations.
But there are two things that are part of your reality, information security people, that make Threat & Vulnerability Management an imperative for you if you wish to succeed.
First, all the “basics” of security are part of the CISO’s “below the line” activity. Below the line activity is the activity that is just your job. The rest of your organization realizes it exists, realizes it is important and expects you to do it. The CEO does not care about your patching metrics, he or she just wants it done. If you fail at this and it leads to a major problem, your job is in serious jeopardy.
Second, because most organizations are not doing a particularly good job with vulnerability management (and therefore patching), the bad guys are exploiting you without having to work hard. At least 90% of all intrusions I do any research on turn out to have been achieved because known vulnerabilities were not patched. Even worse, those known vulnerabilities led to an attack path that reached critical assets that were of value to the attackers.
In other words, doing our “below the line” job is critical to protecting our organization. Yet most security and IT organizations have not patched the most basic vulnerabilities in their networks. And by doing so they place themselves at much higher risk as an organization and as individuals. Paul Proctor, Chief of Research for Gartner’s Security & Risk Management practice, has said that 80% of cyber security risk can be eliminated by security teams doing the basics well. Frankly, the current set of outcomes is making it very clear that only 20% of security teams are eliminating 80% of their risk.
If we want to change this, we in the information security community are going to need to focus on maturing our vulnerability management capabilities. We are going to need to outgrow our black and white approaches rooted in compliance, appreciate the fact that the world is fuzzy and unclear. It’s time to return to basics, but in a much more mature way. It’s time to build cross discipline processes that integrate activities in InfoSec and IT Ops. We need to patch based upon business context and risk, not PCI compliance.
Look for more from me on this topic over the next month or so. Meanwhile, start getting to it and patching stuff before the bad guys exploit it. And you.