Description: These common mistakes and misconceptions could be limiting your vulnerability management to be the best it can.
Multiple breaches, including the 2017 credit reporting agency Equifax data breach, were traced back to unpatched vulnerabilities. A 2019 Tripwire Study discovered that 27% of breaches were due to unpatched vulnerability, while a 2018 Ponemon Study placed the figure at an astonishing 60%.
This shouldn’t be surprising to anyone working in security: Over the past few years, the number of vulnerabilities has increased annually.
Security teams have also been stretched thin due to extra work enabling remote secure work and dealing with other pandemic-related issues while simultaneously managing a staffing crunch.
Therefore, improving vulnerability management programs is not always a priority.
But security chiefs who have been in the field for many years say that they can see the common errors and missteps that need to be corrected to improve these programs. Here are 10 common mistakes CISOs make, they claim.
1. Failure to secure executive support
A good vulnerability management plan requires more than just the security team. Executive input is required for risk decisions, patching requires IT expertise, and scheduled downtime to update impacts multiple business functions.
CISOs must have buy-in from all stakeholders in order to accomplish this task effectively, according to Michael Gray, CTO at managed services provider Thrive.
On the other side, CISOs without executive support can find it difficult to manage their vulnerability management efforts. IT and business units may push back on them about scheduling patches and downtime.
Gray and other CISOs say they are finding the executive support they need as cybersecurity has become a top-level concern. Gartner’s 2021 directors survey found that 88% of boards view cybersecurity as a risk to their business.
2. Fostering a sense of shared accountability
Alex Attumalil (CISO for Under Armour) says that CISOs should not assume responsibility for VM [vulnerability Management]:
CISOs are not responsible for the systems and business functions they support. They also don’t have the authority to decide whether an organization is willing to accept any risk.
“We are not authorized to accept any risk for the company. He says that you need to “blow up the information”. This requires sharing risk with other enterprise leaders, framing vulnerability management as business risk and “enabling” them to be part the solution. They must be aware that they are responsible for any vulnerabilities that their systems create.
Attumalil claims that this approach gives enterprise executives, beyond the vCISO, “a stake in it,” which builds support and collaboration when vulnerability management work like scheduling system downtime for patches.
3. Generic risk prioritization
A recent study by Pulse, a security vendor Vulcan Cyber, found that most of the 200+ responding security and IT executives don’t prioritise vulnerabilities based upon their own risk profiles. The study found that 86% of respondents rely on third party vulnerability severity data to prioritize vulnerabilities. 70% also use third-party threat intelligence.
Security experts warn against this approach. They claim it could lead to CISOs or their teams focusing on the wrong threats.
Kyle Lai, President and CISO at KLC Consulting, which offers cybersecurity advice and vCISO services to U.S. defense contractors recommends a new approach. He suggests that CISOs and their teams need to understand the organization’s technology environment and maintain an updated asset inventory. They also need to understand the company’s risk tolerance and risk appetite so they can identify and prioritize the most serious threats to their enterprise.
They should be able to assess the potential impact of a specific threat and which ones are most serious. He says they should prioritize based on their impact on their organization.
4. Training is not cheap
Bryan Willett, Lexmark International CISO, recognizes that Linux system patching skills are different from Windows patching skills. These skills also differ from the other tasks in his vulnerability management program.
He also stated that the knowledge security personnel need to manage vulnerabilities is different from the IT know-how required to patch the systems.
He says, “So I want these teams to get the training that they need to assume their responsibilities.”
Security leaders warn that not all companies are prepared to provide the education needed to ensure high-quality security and, in particular, robust vulnerability management. Experts believe that organizations underestimate the level of specialization required for vulnerability management tasks or fail to recognize the importance of training workers on specific tools and systems within their organization.
Willett says, “Everyone needs to remember that employees want the right things but we must invest in them to make sure they do the right things.”
5. Failure to track code
The Linux Foundation has found that increasing numbers of organizations use a software bill-of-materials (SBOM), to better understand the code in their systems. The report shows that 47% of organizations are producing or consuming SBOMs, and 78% expect to produce/consume SBOMs by 2022 (up 66% from 2021).
The figures indicate an increase in SBOM use, but they also show that many organizations may not be able to see all the code in their IT environment. Lai claims that this lack of visibility makes it difficult for them to identify vulnerabilities that require attention.
6. Postponing upgrades
While vulnerability management is a difficult task, it can be made more efficient by addressing technical credit. Joe Nocera is the leader of PwC’s Cyber & Privacy Innovation Institute.
Nocera says, “The more I can consolidate on a common stack or retire legacy versions. The less vulnerabilities I have to deal with.” This is why simplification and consolidation are the best way to increase your force multiplier.
Nocera recognizes that addressing technical debt and retiring legacy systems does not eliminate vulnerabilities. However, getting rid of legacy systems can remove some work and help to eliminate systems that cannot be fixe. This reduces risk.
He says that by addressing these issues. Both security teams and their IT counterparts can shift their attention to the remaining priorities. Making the program more efficient and impactful.
Despite the many benefits, many organizations have not made this a priority. The 2022 Endpoint management and security trends report from Action1 Corp. (maker of a cloud-based remote monitoring and management platform). Found that 34% of respondents intend to concentrate on “eliminating legacy software they have replaced by cloud alternatives.”
