Vulnerability management, like flossing, is not fun, exciting, or sexy, but we know that it’s a necessary component of good hygiene. There’s a ton of evidence and research to strongly substantiate its benefits, and yet we frequently struggle to do it despite clearly understanding the consequences — we certainly don’t want a root canal! Yet, just as dentists and hygienists try to persuade their patients to floss, security leaders face an uphill battle getting teams outside of security to effectively and consistently manage vulnerabilities.
The one instance when vulnerability management does come into prominence is when a critical, newsworthy, “all hands on deck” emergency emerges (aka “emergency and celebrity vulnerability response”). In these situations, teams come together and work through the emergency. It’s the day-to-day management that becomes a challenge.
So what’s the answer? While there is no perfect solution, there are several strategies that have worked for myself and my peers in the past. These are not mutually exclusive either, and any of them combined (or all together) can help drive significant improvements.
Influence And Motivation
I don’t know anyone who wants a breach, so you would think that the threat alone would motivate people to stay on top of vulnerability management. And yet, in many cases, it doesn’t. Worse yet, some teams/companies don’t bother to figure it out until after they’ve had a breach. Fully 25% of breaches in 2022 involved a software vulnerability. That, of course, is not where we want to be, so we need to influence teams to act. Granted, that’s easier said than done, but there are some clear things you can do:
- You have to answer the fundamental “What’s in it for me?” question. If you can’t do that, it’s already a struggle. Why should they care about remediation? Put it in business terms that matter to them, such as downtime, lost revenue, missed deadlines, reputational impact, etc.
- Find a way to make this a “win” for them. This can be tough since, in many cases, the work just has to be done, and it’s about avoidance, compliance, etc. The “win,” however, may be more recognition-based (see scorecards below).
- Be realistic regarding what the real risks and benefits are. Be transparent about risk/reward as well as what you are asking them to do. Implement realistic SLAs and an exception process that ensures that exceptions are reviewed on a regular basis. Inflated risks, unrealistic expectations, unrealistic deadlines, and demanding action is exactly what gets the security team a bad reputation. Build a partnership both with the business and IT.
- Combine the above recommendations with the strategies below. Also, make sure to check out our great research on influence and storytelling.
- Have a clear way to map ownership to applications and assets. It can sometimes take weeks just to figure out what business area owns the remediation process! Having clear procedures for tools such as CMDBs, CAASMs, and asset management systems can help make this process easier.
Proper Prioritization — A Risk-Based Approach
A large part of the issue is the sheer volume of vulnerabilities, and it never stops. Prioritizing and dealing with the issues that pose the actual greatest risk to your organization is critical to making this manageable. This also helps curb burnout. Not all vulnerabilities are created equal.
Just because a vulnerability is listed as critical doesn’t mean that it’s critical in your environment. A medium vulnerability may very well carry a much greater risk based on your specific circumstances (i.e., lack of mitigating controls, the type of data involved, and/or the location of the impacted asset). See Erik Nost’s report on remediation prioritization, How To Strengthen Vulnerability Risk Management With Remediation Prioritization.
Scorecards
People are often competitive, and at a very basic level, no one wants to look bad in front of their peers and/or leadership. One way to play on this is to track remediation metrics and report out on people’s status by team, business unit, agency, or other appropriate constructs. This does not need to be based on negative reinforcement; you can gamify it and reward the top performers.
There are solutions available today for this purpose, and while this can be a debated approach, the bottom line is that it works, and I’ve have heard a lot of you speak to its effectiveness.
Vulnerability Champions — Divide And Conquer
Having someone, such as a BISO, designated as a champion in each area or business unit is another great way to drive results. These individuals can help bridge the gap between the business, IT, and security. They can also spread both the workload and communication requirements.
Also consider holding open office hours. This gives teams the opportunity to ask questions regarding remediation. This is also a great opportunity to support gamification by using the time to deliver awards and announce winners, all with the aim of driving attendance and results.
Ultimately, the goal is to motivate the teams, create champions, and take a realistic, risk-based approach to what you’re asking … unless, of course, you like root canals!
In addition to the research covering influence and motivation, you should also check out Erik Nost’s research on vulnerability risk management!
(written with Zach Dallas)
The Security & Risk Enterprise Leadership Award
We’re excited to announce that we’re accepting entries for the Security & Risk Enterprise Leadership Award! This is an excellent opportunity to showcase how your organization builds trust and gain recognition for your efforts. We can’t wait to see how you have transformed security, privacy, and risk management to drive trusted relationships with customers, employees, and partners to fuel your organization’s long-term success.
The deadline for submissions is Tuesday, September 12, 2023. To view complete award nomination criteria and submit an entry, visit here.