Strive for continuous improvement, instead of perfection
— Kim Collins
The Dragonfly Team attended the Gartner Security and Risk Management Summit held in Sydney 20-21 August 2018 and brought back some excellent forward thinking from the Gartner team on topics of Security and Risk. Among many of the ideas floated, ideas debated, and priorities distilled, the Gartner team provided a great view of what they believed should be top priority Security projects for the next 12 months for all Security and Risk Management Leaders.
In a series of blog pieces, we will be exploring several of these Security projects which we believe will shape our clients strategic view of security and risk over the next 12-18 months. First up, if you can only do one thing in the next 12 months, implement an intelligent approach to vulnerability management as a project.
Before we delve into vulnerability management and why we think it should be a priority, let’s explore a very simple risk and security tenant which was discussed throughout the conference and launched at the keynote presentation – three simple questions:
1. What is important?
2. What is dangerous?
3. What is real?
According to Gartner, by identifying and combining the answers, you can cut through the noise we see a lot in Risk and Security Management. You want to arrive at that middle overlapping intersection.
At this point, it is worthwhile sharing with you why we think vulnerability management is a great piece to focus on. It is a critical component of any security program as, on balance, it’s all about targeting your finite resources to gain greatest risk reduction. We believe this provides you with great bang for your buck, it supports the changing needs of cybersecurity whilst supporting digital business initiatives we are seeing out there and finally, chances are, you already have everything you need to do it well.
Vulnerability Management is critical when considering your Cybersecurity and Risk Management strategies and becoming more so with the continued reliance on digital initiatives to drive business growth. However, the reality is that IT operations cannot keep up with the sheer quantity of vulnerabilities and we are seeing significant increases in vulnerabilities.
So, if we now ask ourselves each of these three questions in relation to our vulnerability management approach, it may look like this -
What is important?
In order to effectively prioritise your activities, first start with what is important and to whom –
What is the business value of the asset you are trying to protect? Is it mission critical? If it were to be compromised, what would happen to the business?
What is dangerous?
We are constantly reminded of the sheer number of vulnerabilities identified but how many of them are actually critical? When you look closer, you may find most of these vulnerabilities are not in fact critical and pose an urgent threat. Just because there is significant media coverage of a particular vulnerability, does not make it critical –
What is the impact of the vulnerability should it remain unpatched? What is the likelihood of this vulnerability being exploited?
In summary, make up your own mind regarding its impact and then address it based on these findings.
Source: IBM X-Force/Analysis: Gartner Research
What is real?
To be able to answer this question, you need to look at your mitigating controls which you have in place – they are in the best position to tell you what is a real threat. Many controls can be applied or retrofitted to legacy systems and applications for systems which cannot be changed. So don’t forget your mitigating controls (IPS, WAF, firewalls and so on) when considering your options.
The reality is that we can’t patch everything but we can significantly reduce risk by risk prioritising our vulnerability management efforts.
When done well, vulnerability management has significant risk reduction potential and will support the business push to drive growth through digital initiatives. This particular approach to vulnerability management can significantly reduce risk by prioritising Risk Management efforts.