Vulnerability management is becoming a standard industry practice and, as such, is included in most regulatory compliance rules as a quick and easy path to threat remediation. However, the reality is that most companies are not actually managing vulnerabilities, but rather conducting scans that produce thousands of potential threats. Identifying possible security risks and actually managing them through to remediation are completely different things.
In its common definition, a vulnerability management program sounds like security utopia: if you purchase the right software, implement the proper solution or engage tougher policies and procedures, etc. you will be safeguarded from the threats of the outside world. Doesn’t that sound nice? There’s one problem though- it doesn’t work that way. The term leads companies down a path towards a false sense of security which can be detrimental down the line when you need it most. In fact, it could lead to an even larger gap between identification and mediation.
But perception has a way of becoming reality. If you mention vulnerability management to prospects, they will almost certainly tell you, predictably and definitively, they are already “doing it.” And they may have some parts of a vulnerability management solution implemented in their organization. However, most companies fail to go beyond the most lenient compliance standards.
Distinguishing the hype from reality and the facts from fiction of vulnerability management can be confusing and difficult. Instead of reading an entire file of documentation, we have come up with a quick and simple self-assessment. I would recommend every person charged with IT security in an organization to ask themselves these questions on a regular basis. For executives responsible for signing off on company security, I would also recommend that you consistently ask these questions of your chief security officer and demand definitive answers.
Can you give a definitive “yes” to all of the following questions:
- Do we understand the actual risk?
- Has it been properly fixed?
- Can we validate that the fix has worked?
If the reply to any of these questions was a no or even if you were a little unsure of your response, then you are not fulfilling the function of vulnerability management.
Don’t feel bad, the reality is that very few organizations are currently employing true ‘management’ of threats and vulnerabilities, but rather a form of vulnerability identification. That’s a step in the right direction, but only the first step in the path to management.
It really boils down to three common, but dangerous, mistakes businesses make when it comes to management.
1. Vulnerabilities are Not Baseball Cards
Most people believe that if the software solution is capturing the vulnerability, collecting it the way kids may collect baseball cards, that they are safe from the threat. They are not. A mid-sized company may run a monthly scan that includes 10,000 potential threats, but there is little to no visibility into how these issues affect the individual company, only where they fit on a standard scale. They have no insight into how these risks work together or if any of them are truly a risk to the organization.
2. Identifying is Not Managing
Just as frightening, threats are typically not being managed – they are simply being identified. It becomes an exercise in moving all of the potential risks around, but nothing is actually being resolved. Potential risks are identified and passed along to different groups, without anyone actually seeing the threat through to mediation. It essentially becomes a game of vulnerability pass-the-buck.
3. Knowing Does Not Mean Patching
All this information ends up going nowhere. CISOs don’t fix the perceived threats, or just don’t believe them, and basically, end up just shifting information around. There is simply too much data to process or act upon. No matter how much input you receive or the level of analysis you apply to that data, your network, once under attack, remains at risk.
When it comes to security, you can scan for vulnerabilities all day long and even convince yourself that you know where that threat is hiding, but until you’re able to capture, correlate and contextualize it, it means nothing.