The Current Landscape of Vulnerability Management
If you work in cybersecurity, you already know that vulnerability management is getting more and more complex.
The number of vulnerabilities is on the rise, and their severity is increasing. The Tenable Research Vulnerability Intelligence Report sheds light on the 15,038 vulnerabilities discovered in 2017, the majority of which were categorized as high or critical in severity based on the industry-standard Common Vulnerability Scoring System (CVSS).
And 2018’s trends are even more sobering: According to the National Vulnerability Database (NVD), 16,500 new vulnerabilities were disclosed.
As an organization’s attack surface grows, so too do the volume and severity of vulnerabilities.
Given the burgeoning complexity of IT infrastructure – with DevOps practices, cloud, containers and microservices becoming more mainstream, and IoT devices on the rise – vulnerability management can feel akin to working inside a pressure cooker.
According to a 2018 survey conducted by the Ponemon Institute, only 29% of organizations report having sufficient visibility into their attack surface.
Plus, organizations are facing shortages in resources and talent. 58% say shortages in skilled staff affect their ability to scan vulnerabilities in a timely manner, and 51% are bogged down by manual processes and insurmountable backlogs.
With an insufficient picture of your organization’s vulnerability landscape and a scarcity of resources, how can you adequately scan for vulnerabilities and assess cyber risk, let alone satisfy C-suite and board members who need to understand cyber risk in relatable business terms? (It’s enough to make anyone’s head explode.)
Given this landscape, prioritization has become the key challenge for security professionals it’s what sets apart mature IT organizations, and gives you the competitive edge you need to effectively mitigate risk in today’s era of digital transformation.
Guesswork, intuition, and relying on manual, outdated practices just won’t cut it.
Digging into the Importance of Prioritization
Most organizations recognize that a prioritization plan is necessary. Without a plan, you’ll face a dizzying amount of work, essentially making near-random judgments on what to fix first. But an inability to effectively prioritize vulnerabilities means more than miscalculating how to spend your time, of course.
The Ponemon report reveals that 91% of organizations have experienced at least one damaging cyberattack over the last two years, resulting in significant downtime for the business, forfeiture of sensitive customer or employee information, theft of business-critical information, or fines and/or lawsuits due to non-compliance.
It’s common for organizations to prioritize based on the lowest-hanging fruit. These workflows aren’t inherently bad, but tend to overlook the true risks to your business. For example:
- Remediating every vulnerability with a CVSS score of 7.0 or higher means you’ll address some of the most critical vulnerabilities, but you’ll soon be overwhelmed by the sheer volume of risks. If everything is a five-alarm fire, nothing is.
- Fixing what’s easiest to patch drives real (and sometimes imagined) productivity, but misses the point: Easiest doesn’t mean likeliest.
- Tackling the newest threat first can seem advantageous, particularly when CISOs and CIOs are under pressure from customers, investors or the media. But, getting caught up in reactionary work means stripping time and resources from other, often more important, work. And the newest threat usually doesn’t equal the likeliest.
It’s not all doom and gloom, though. You can build an effective prioritization plan – one that takes an informed, risk-centric view, and protects your organization from cyberattack.