It’s the latest buzzword among IT professionals—vulnerability management—and with good reason, says Hilda Perez, president and co-founder of Austin, Texas-based Brinqa.
Perez spoke with StrategicCIO360 about rising threats and their impact, the difference between “mature” and “immature” cyber programs, and how to get a good ROI on your cybersecurity tools.
What is vulnerability management and why should it be on the radars of CIOs across industries?
Essentially, it’s the work that goes into assessing, prioritizing and assigning ownership of the vulnerabilities detected within enterprise systems. The importance of this aspect of the job has grown over the past decade or so because enterprise system development and cloud adoption has outpaced security team growth.
While a continuous integration and continuous deployment approach means more agility and functionality, it also means bigger attack surfaces with more unknowns and more vulnerabilities. Naturally, teams feel the need to conceptualize this growth, which fueled the proliferation of detection tools. Nowadays, most organizations leverage dozens of them to ensure they don’t miss any potential threats, but the utility of detection tools stops there.
Detection is only the beginning of the process. Once they know about a vulnerability, security teams still need to:
1. Assess the threat to determine its potential impact.
2. Assign ownership internally.
3. Communicate the associated risks to the broader business in a way they understand.
4. Remediate the threat.
Yes, detection is a critical part of the cybersecurity puzzle—and it’s getting more complicated by the day – but it’s far from the only step, and broader leadership teams often fail to understand that. CIOs empower cybersecurity teams to elevate their function across the business so these teams can communicate threats in a way the business understands. Doing so effectively relies on having a unified view of risk across the enterprise—and vulnerability lifecycle management sits at the heart of that.
How does vulnerability management fit into overall business strategy?
Vulnerability management strategies must support the business’s goals. Every time. That’s the difference between mature and immature cyber programs. Immature programs rely solely on industry standards, best practices, and even point solutions to guide their approach without considering the specific needs of the business they support. Mature programs understand the business first and design their approach to management and remediation around that.
However, there does need to be a level of give and take. Security teams must feel empowered to raise the alarm, when necessary, but doing so depends on their ability to communicate risk in terms leaders understand. As such, the people defining business strategies and those running vulnerability management programs need to be open to ongoing conversations so both groups understand what’s motivating decisions for the other. CIOs sit at the heart of this endeavor as they are the link between the two groups.
What are the biggest pain points for CIOs when maintaining their security posture?
Decentralization, no question. Context is critical when assessing whether processes are effective, and it can only come from integrating data. Currently, most companies are using an ad hoc ecosystem of monitoring tools that feed into separate systems of record to identify and review vulnerabilities. Given the number of tools, which easily could reach hundreds, it becomes overwhelming to keep up with all of them.
The average company has more than 70 different detection and monitoring programs running at any given time. That creates a lot of noise, especially when there’s no integration. Without a centralized platform, there’s no way to contextualize each threat—and these teams are inundated with threats—in relation to all the rest of the threats or assess its potential impact on operations.
Frankly, many companies don’t even know what they’re “maintaining” because they don’t have an accurate baseline. Developing that baseline is the key to not only maintaining but maturing security posture as attack surfaces continue to grow.
In challenging economic times, how can CIOs ensure ROI on their existing cybersecurity tools and programs?
Monitoring is a crucial part of lifecycle management, and many companies are doing great work in this regard. They’ve made significant investments in monitoring and alert tools, which lays the groundwork for a holistic approach.
The next step is consolidating and standardizing the information these disparate platforms collect. Doing so helps CIOs and security teams better understand where their program currently stands so they can figure out which tools they’re putting to good use, which could be used more effectively, and which they may be able to phase out of their system.
If, for example, one tool only produces redundant alerts relative to the others, it’s likely not contributing to security in a meaningful way. But the only way to know if that’s the case is to integrate all this information into a unified platform.
Finding ways to automate these processes is also critical. Systems will continue to grow, as will the prevalence of CI/CD pipelines. At the same time, attackers’ methods will change and evolve to circumvent new cyber protocols.
Any way you slice it that means more alerts and more administrative work for IT teams. Automating the consolidation, standardization, prioritization and assignment and tracking of remediation responsibilities will help teams refocus on what matters: acting quickly and strategically to limit exposure.
How can CIOs empower cybersecurity teams to prioritize and effectively communicate risk across their organizations?
CIOs are the bridge between the technical minds keeping systems afloat and the business-outcome-focused minds doing the same for the company. The best thing they can do is champion security teams’ interests in the C-Suite, and that task starts with listening to and learning from their staff. They also need to embrace human-centric security and communicate the necessity of the task to others, as cyber is no longer just the responsibility of IT teams.
Doing so will help CIOs better understand the realities modern security professionals face and the investments they believe will help them succeed in an increasingly complex cyber landscape. Then, CIOs need to find ways to contextualize that feedback within the company’s operational goals so their executive counterparts share that understanding.
