It's not a secret that most companies are not great at security and specifically at fixing vulnerabilities. This problem has been around for decades and it is here to stay.
Recently the NCC Group, a leading cyber security company, analyzed nine years of vulnerabilities discovered by its team and found that only 26% were classed as “closed”, meaning they were fixed or dismissed once the risk was accepted. Even though we all expected this, 26% is still a very low indicator.
Why are companies not able to 'close' vulnerabilities in time? Are they not willing to?
Almost every company is afraid of a major cyber attack, data breach or corporate espionage, at least I choose to believe so, but most of their efforts do not necessarily translate into the message of "YOUR SECURITY IS OUR MAJOR CONCERN".
There are various reasons why vulnerabilities might not be 'closed' in timely manner, here are some of them:
- Asset owners are concerned about changes - "What if the application fails?"
- IT inventory is not updated - "I cannot find that server in CMBD!!!"
- Assets do not have owners - "Who should make decision on patching?"
- No vision for risk management - "And then what if the code can be exploited remotely? Is not the application designed to run the code?!"
- Vulnerability management process not defined - A: "Any idea when is the deadline for fixing the Medium vulnerabilities?" B: "No clue! Probably we should be ready for the pentest next year"
- There is no support from top-management - "They prefer to buy a Lambo, rather than investing in security..."
Do you see the pattern?
From a perspective of an information security role, it might seem that things do not work as intended, because of issues in other departments, their processes, lack of direction and/or cooperation. And it might be quite true, but if you are a passionate security guy or girl you know that "if there is no instant fix then there is a workaround".
Let's categorize situations listed above and think about how we can get them "fixed" or find a "workaround".
|Asset owners are concerned about changes||Risk||If business prefers not to change anything while accepting a high level risk, then they do not fully understand the risk, because sane person will not accept a risk of a potential data breach caused by RCE|
|IT inventory is not updated||Process||IT inventorization is a process that should be followed thoroughly as it is the core resource for managing Information Technologies. Processes are based on strategy of the IT management and strategy is based on the vision of the top-management|
|Assets do not have owners||Process||This again comes down to IT inventory and also the vision of asset ownership that should be established in a company|
|No vision for risk management||Risk||If leaders do not define what they want to achieve by establishing a risk management program (vision) and do not properly communicate it across different levels, then whole risk culture is destined to fail.|
|Vulnerability management process not defined||Process||When it comes down to vulnerabilities, the timing and treatment is important. It is also important to define the simplest and precise communication plan (we do not want technical teams to have second guesses about prioritization of vulnerabilities)|
|There is no support from top-management||Risk||Without support from the top-management it is difficult to achieve anything. In my experience, one of the best ways for getting support is talking in the language of risks|
From the table above we have a categorized view of the main issues that prevent vulnerabilities from being fixed and thus got two main categories "Process" and "Risk". Let's dive deeper behind the scenes to see why risk communication and processes are important.
Information Security in a corporate environment is not an easy thing to do, it requires combination of various personal and professional traits with vision of the top-management, board, investors and C-suite. After all they are the ones who should invest in security (finances, time or processes), therefore it's crucial to get support. Often times these stakeholders are not fully informed about type of technology, policies, development or governance that may boost specific aspects of the information security, which delays decisions.
Furthermore, one might get a helping hand from top management, but in order to actually implement ideas it is important to convince business owners, technical owners and other stakeholders on middle management. Why? Because these people will be the ones making decisions about change management and you do not want to be running to top-management for help every time they accept the high risks (you will not look professional... guaranteed)
So to sum it up we need to Get Support (top-management) and Make it Work (middle management).
For me the best way to Getting Support is by communicating with top-management in the terms of business risks. This means that Information Security leaders should translate those technical risks into something that is more understandable. Imagine yourself in a place of a person in top-management who lacks technical background and wants to make decisions with confidence. From that point of view it's hard to grasp the idea of changing something that has been working for so long. But if one talks with them in the language of business e.g.: "our competitors are quickly responding to incidents and thus building a better bond and trust with customers, which replicated in their growth for the past year" then all of those vulnerabilities and technical difficulties might make sense (of course this is just one simple example, that might not work in every case, but feel free to play around similar terminology). Try to always push the weakest spots: finances, fines, competitors, legal consequences.
If we manage to successfully Get Support it would be a great success
but do not stop there, because you need to implement and execute your ideas, in this case convince middle-management (might vary per organization) to avoid the risk by fixing vulnerabilities.
Well... you might think that if the top-management made decision then it will be as they said, and that is very close to reality but the quality of execution depends on the middle management. So if you, as a security leader, want to build a simple and flexible information security program, your success will depend on the quality of execution, this is where the Make it Work comes in play.
Next step, Make it Work, sounds easy but it is not a road that will bring you much love and respect from the middle management, you will walk a path full of obstacles. Therefore you need to be sharp, attentive and influencing. Now, influence is the key but the way you do it will vary per individual and organization. In general I think it's useful to simply answer the question "what's in for him/her?" and "how a realized risk can affect there asset".
Before sending out that nicely drafted email to middle management, take your time to discard it, pick up the phone (or other voice/video communication medium) or have a small real-life chat with the person of interest.
- Use voice
- Voice is what makes a huge difference, because it is a better way to transfer ideas the way they were meant to be comprehended.
- Praise the skills
- Another important step is to emphasize the good managerial skills that the middle management has and provide examples of how well they handled that past incident -- this will boost the confidence.
- Try to empathize with the person, after all they are not insane for accepting high level risks, they will have some explanation for this. Try to feel yourself in their shoes and see behind the curtains.
- Vision & Strategy
- Explain why are you pushing for fixing vulnerabilities, what problem you are trying to solve and how. Emphasize the importance of your efforts and ask for their assistance in achieving common goals.
- Be specific
- Tell them how they can help exactly and when. Do not just direct them to policies that you have written, chances are they will be bored... [I will write more about this later].
Of course the situations above might be different from your organization or culture and I do not (nor should you) have illusion that tips above will solve your problems with vulnerability management, however I hope that they might provide at least a small amount of value.
All the above is probably one of the additional reasons why I love this field and information security leadership, because you might have all the technical skills in the world, you might be a great manager, but it takes personal abilities, dedication, strong vision and strategy to succeed.
If you liked this article, feel free to subscribe below!
Subscribe to CypherOwl
Get the latest posts delivered right to your inbox