The CISO’s Roadmap to Purposeful Vulnerability Management

The biggest cybersecurity problem plaguing organizations isn’t awareness of their vulnerabilities, it’s doing something about them.  

Security leaders are weighed down by enormous backlogs of unaddressed vulnerabilities. Without the proper tools and resources, these vulnerabilities go unpatched or unresolved, leaving the door open to cyberattacks. Case in point: For 57% of cyberattack victims, breaches could have been prevented by installing an available patch -- and, significantly, 34% were aware of the vulnerability but had not taken any action simply because they wanted to avoid workflow disruptions. 

At the core of this problem is a traditional, reactive approach to plugging security holes combined with a shortage of resources, which has allowed vulnerabilities to proliferate faster than teams can keep up. Knowing you have a vulnerability is one thing; being able to effectively patch or remediate it is something else. To bring the spread of vulnerabilities under control, organizations need to adopt a strong approach to vulnerability management.  

Dynamic Vulnerability Management 

In today’s threat landscape, organizations cannot afford to be reactive. Blue teams focusing on protecting critical systems must be continuously accurate -- after all, attackers need find only one vulnerability to get into your network. 

Related:How to Get IT and Security Teams to Work Together Effectively

While this is easier said than done, this four-point plan outlines how organizations can drive success with their vulnerability management programs. 

1. Identifying threats  

Detecting security risks before they can be exploited starts with a clear assessment of an organization’s own defensive capabilities. With the help of automated scanning tools, organizations can identify weak or missing authentication practices, outdated software and hardware, and insecure network configurations.  

Authenticated scans provide more accurate information on high-risk vulnerabilities, eliminating a lot of false positives. These can be coupled with an analysis of external threats, such as hackers, malicious actors, and malware, that are active in the cyber landscape. 

2. Risk assessment and prioritization  

Once threats are identified, they must be prioritized based on the business and technical risks they pose.  

Rapid assessments help identify and prioritize potential risks to sensitive information, allowing organizations to protect against unauthorized access, cyber security threats, and theft of intellectual property. Through this process, teams measure the risk created by vulnerabilities, comparing their relative threat levels to determine the best course of action to address vulnerabilities and what order to address them in. 

Related:11 Ways Cybersecurity Threats are Evolving

Prioritization of vulnerabilities can vary depending on the industry your organization operates in or which system the vulnerability exists. For example, let’s say a retailer has an XSS vulnerability that allows an attacker to inject malicious scripts into the comment section of their blog that redirects users to phishing sites. While this is problematic, if the retailer has strong mitigations in place, this vulnerability might be considered low risk as there’s little to no financial or privacy risk. 

However, this vulnerability would be prioritized much higher if it were found within a financial services company’s online banking system. This same exploit would allow the attacker to potentially steal session tokens, intercept transactions, or perform unauthorized actions on behalf of the user. This could lead to financial theft and significant loss of trust and reputation for the company. 

Once potential risks and threats have been identified, organizations must determine the appropriate security controls to mitigate them, which includes implementing encryption, access control measures, firewalls, intrusion prevention systems, and more. 

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

Making these assessments and taking corrective measures regularly -- at least once every six months -- is a good start. However, it’s important to understand that risk assessment is an ongoing process; scanning your environment for risks is an event that’s done at a single point in time and will only capture risks in that moment. Vulnerabilities are constantly evolving, and bad actors aren’t only 9-5, meaning conducting assessments should be a daily process for security teams. Daily risk assessments ensure teams have the visibility to continually understand their business’s security posture and vulnerability risk at any given time. 

3. Remediation and response 

Once vulnerabilities are identified and prioritized, those gaps in security -- whether they are unpatched vulnerabilities, unsupported hardware or software, or zero-day vulnerabilities -- must be closed quickly. Remediation may involve applying patches and compensating controls, changing configurations, or even removing compromised elements from the network.  

When tackling remediation and response, a basic tenet to follow is “trust, but verify.” Security teams must test systems all the way through to ensure that the new upgrade, patch, or compensating security controls will not disrupt business processes. Ask yourself, did I test systems all the way through? Am I doing everything I can to ensure these fixes will not do as much harm as the vulnerability would have? 

4. Continuous improvement  

Securing a network has no finish line. After remediating vulnerabilities, teams must conduct holistic testing to verify that all vulnerabilities have been successfully mitigated and ensure that systems are functioning as expected.  

They also need to document and report the status of vulnerabilities and remediation to ensure compliance, which is critical, particularly in regulated industries like financial services, healthcare, and government. Tracking metrics to identify trends can also help identify ways to improve processes. 

The cyber threat landscape moves too quickly for organizations to try to play catch-up with a reactive approach. Security leaders need to be driven about security. Establishing a risk management framework, conducting regular assessments, remediating flaws, and making this a continuous, repeatable process that includes verification and testing are the keys to protecting an organization’s most valuable assets while avoiding costly and damaging data breaches.