- Corporate Security
- Governance, Risk, and Compliance
- Information Security
By Diana Buccella Modified April 17, 2020
IT and Security Professionals say that one of their biggest challenges is ensuring that their executive team has visibility into their organization’s cybersecurity realities. While responsibility for security increasingly resides in the c-suite, many executives want to rely on compliance audits alone to assure themselves that corporate and customer data is safely locked away. Often, it’s a classic hand-in-the-sand approach to risk management.
When an expensive and embarrassing breach occurs, those same executives can face serious consequences, including fines into the hundreds of millions of dollars. Organizational executives cannot rely on simple devices such as vulnerability scanners to ensure protection. No matter their size or industry, enterprises need a robust, comprehensive approach to risk management.
By moving beyond the scanner, you can automate processes to remove the burden of manipulating and making sense of data through an inefficient, manual system.
Scanning tools provide you with the IP address data tied to vulnerabilities, but they don’t relate it to higher-level functions. People have to do that. When dealing with security, people are nearly always your weakest link. The more you can rely on automation to collect, store, manage, clean, sort, and secure data, the safer your information will be. A tighter, cleaner security program will hang more of that responsibility on a fast, efficient robot and less of an error-prone human.
Scanners don’t provide you with the real-time, meaningful data you need to understand what assets these vulnerabilities are tied to, and thus, which need to be addressed.
Data is only valuable when you know how to act on it. Vulnerability scanners produce a large volume of data, but it’s often poor quality and too much to sort through, meaning you can’t easily figure out what needs shoring up and what’s probably fine. This approach leaves you trying to secure every item in the system instead of prioritizing the most critical and potentially serious ones.
By growing beyond reliance on a vulnerability scanner, you can provide this real-time data to your executives in comprehensive reports whenever they ask for it. Nobody will have to wait for all the numbers to be manipulated from Excel into a report at the month’s end anymore.
Scanners don’t tell you what to prioritize – just how to patch a vulnerability and with what patch.
An effective vulnerability management program starts with knowing what to prioritize. You can’t secure everything, and you don’t need to. But a vulnerability scanner will have you trying to do just that, potentially leaving gaping holes in the firewall while you worry over trivial vulnerabilities.
Not all vulnerability metrics matter. Some are critical, and some are not. Knowing the context of the vulnerabilities you identify allows your team to score each one according to pre-determined criteria, thus prioritizing the most important soft points in your system. Having real-time data and proper prioritization, which a vulnerability scanner doesn’t provide, will help reduce the risk of exploitation.
Your IT team needs to know what vulnerabilities should be prioritized today so they don’t get exploited tomorrow. You can’t focus on everything. So, you need to focus on the right vulnerabilities. Using a risk scoring system along with a database connector can give you ample advanced warning to patch your systems for specific, urgent vulnerabilities prior to an outbreak.
As a security team leader, you need to know how you are doing in each business unit. You have to answer questions such as: How quickly are we remediating the vulnerabilities? How many vulnerabilities have we remediated this month? Which ones are overdue for which patches? How many vulnerabilities are not getting patched within three months and/or are not meeting their internal SLAs?
Currently, you may be reporting on those questions using a manual reporting process from your scanner’s data, spreadsheets, and data manipulation, then putting together slides to show all that to your management team. It’s time consuming and dated before it hits the executive conference table.
Often, there are good reasons for why you can’t patch or patch quickly enough to meet your SLAs. Scanners may not accurately report your vulnerabilities, causing you to waste resources and time patching the same vulnerability.
Sometimes you don’t even want to patch. Take false positives for instance. Virtual IP addresses from a vulnerability scanner treats them as a separate asset where multiple “assets” are actually tied to just one asset, so you may patch both and that’s redundant.
Alternatively, multiple IP addresses could be tied to one asset, and since scanners report by IP address, they can flag multiple assets when in reality there’s only one. This approach skews the reporting, making it seem like you have more vulnerabilities than you actually do.
It’s important to focus your team on more meaningful tasks that directly impact the business and help efficiently manage risk. If you are relying on a vulnerability scanner, you and your team are probably spending a lot of time doing manual data manipulation and report creation. You could be spending that time doing something more productive such as identifying real and urgent vulnerabilities and preventing or patching them.
Get your team out of the task-based job of doing daily reporting work. Instead, put your staff members to helping the business prioritize security activities, remediate, and better understand false positives.
To be effective stewards of security, your c-suite team needs clear insight into where your threats are, how they would affect the business if exploited, and how they can enable your team to address these risks more effectively.
The time, effort, and budget required to search, find, and implement a new tool is well worth it. Don’t settle for just scanner data. It’s a manual, time-consuming method that will become less and less efficient and effective as breaches become more frequent.
Resolver helps industry-leading companies protect themselves against cyber breaches by prioritizing on a risk-based approach to threat and vulnerability management.