FINAL WORD

Stephen Roostan , VP EMEA at Kenna Security

teams expend considerable effort in trying to fix vulnerabilities that actually pose no risk . While many scanners and application assessment tools are useful for finding potential exposures , the huge lists they often produce can be extremely counterproductive in isolating those that actually matter . How , for instance , do they assess which pose the greatest risk across an organisation ’ s own unique IT environment ? IT and development can ’ t possibly fix all of them , so which should be addressed first ?

Adopting a risk-based approach that provides the right insights tuned to each business means IT doesn ’ t have to try fixing absolutely everything .

2 . Focus on efficiency

Anybody with experience of Vulnerability Management may be familiar with the seemingly endless meetings required to decide which risks to remediate . The conflict this creates can also stand in the way of efficient IT , security and DevOps teams , and outdated tools and processes that can ’ t assimilate all the incoming vulnerability data or accurately prioritise fixes only adds to the sense of inertia .

Determining the specific level of risk for each asset or application involves a vast amount of data . Billions of data points must be correlated and analysed to provide the context necessary to understand the true risk that an asset faces . This is no task for humans . Whereas combining data science and Machine Learning in real-time with a Risk-Based Vulnerability Management ( RBVM ) approach balances multiple issues – from the relative importance of vulnerabilities and the likelihood they ’ ll be weaponised , to their potential impact on assets and applications . This releases security teams from the daily overhead of providing huge lists of vulnerabilities to IT , who in turn , can concentrate on the top fixes which frees up time to work on more strategic tasks in a valuable win-win for all stakeholders in the VM process .

3 . Adopt a common definition of ‘ risk ’

Across the varied IT functions , risk can mean different things to different teams . In security , for example , it often means reducing risk by increasing the volume of patching across vulnerabilities that may be weaponised , even if that causes complications for those working across other functions . Yet , for core IT teams , reducing risk refers to issues that might impact their ability to deliver services to the organisation and its customers .

These two perspectives can often be incompatible , with emphasis on security impacting the workload of the remediation and dev teams . However , adopting a common definition or shared language around risk can help all stakeholders to assess the real likelihood that an exploit will impact high-risk vulnerabilities . Not only does this ensure that RBVM programmes are more efficient , but it balances effort more effectively : security provides accurate , timely analysis that enables IT to prioritise remediation alongside meeting the business needs of the organisation .

4 . Take control

A remediation strategy that emphasises effective prioritisation builds a team ethic where everyone involved can trust each other and take control of vulnerability management , instead of clashing . The data-driven approach offered by the best RBVM programs takes large volumes of realtime external intelligence and combines it with contextual information unique to each IT environment . This reveals not only where vulnerabilities currently exist , but what their specific impact might be within each organisation . By using incontrovertible evidence that can be automatically shared across relevant stakeholders , both security and IT fully understand where to put their time and effort .

5 . Embrace agility

It ’ s not always possible to fix every high-risk vulnerability the instant that it ’ s discovered . However , organisations must be able to recognise and fix vulnerabilities which sit at the heart of a mission-critical application or customer-facing service to avoid downtime .

This is when organisational agility comes into play . Those teams that are in control of their VM strategy and processes are in a much better position to decide what ’ s important to fix now , while determining a plan for remediating other vulnerabilities over time . They are also very well placed to implement alternative mitigation strategies for remediating hard-to-fix vulnerabilities when urgency is required .

For many organisations , Risk-Based Vulnerability Management ( RBVM ) is thankfully delivering an antidote to the ineffective manual processes that have stymied the wider efforts of so many IT teams . By viewing the challenges as a technology-enabled team effort , organisations are able to meet future vulnerabilities head-on and with the confidence that they can focus on the right priorities at the right time .

The future of RBVM will be increasingly defined by meaningful metrics that business leaders can appreciate and will be underpinned by a data-driven process that promotes shared trust between IT and security . •

86 INTELLIGENTCIO www . intelligentcio . com