Vulnerability management is one cybersecurity topic that gets kicked into the long grass by decision-makers, operations and frontline staff alike.
Vulnerability management is a critical component of any organisation’s overall security posture. Yet many boards still need to fully understand the importance of investing in this area. It is time for senior management officials to take charge and make vulnerability management a top priority—the stakes are too high.
Five misconceptions to uproot
Penetration testing, automated vulnerability scanning, bug bounty and such fill the market. These can be valuable components of a comprehensive vulnerability management program, but they should not be relied upon as the sole means of addressing vulnerabilities. Paying for the annual technical audit because a certification asks for it or the occasional vulnerability reported by so-called “ethical hackers” are all symptoms of shying away from sustainable vulnerability management.
The board struggles to understand the challenge at hand because of the following half-truths:
- Vulnerability management is a one-time task. Many organisations view vulnerability management as a periodic requirement. In reality, it is a continuous process that requires constant monitoring and maintenance.
- Vulnerability scanning is enough. Vulnerability scanning provides information about known vulnerabilities. While this information is helpful, more is needed: vulnerability discovery must provide complete coverage or address the root cause of the issue.
- Only Internet-exposed assets or websites need checking: both internal and external systems must feature in vulnerability management. In the past, a website, a server and a few hosts were running on bare metal in a nearby data centre. Today, service infrastructures encompass extended cloud-native environments, code repositories and container images, to name a few.
- Patches will fix all problems: while patches are necessary, they do not address underlying weaknesses in systems and may not fully address the vulnerability.
- Vulnerability management is IT’s responsibility: It should involve input and collaboration from multiple departments, including security, risk management, and compliance.
What does sustainable vulnerability management look like?
Organisations prioritising vulnerability management can ensure they meet regulatory requirements and maintain a secure operating environment. To do this, the first steps are identifying and analysing the issue at hand. Following this, developing the resolution, testing and deploying it are equally essential. Successfully implementing the process from A to Z requires collaboration.
Thus, vulnerability management should be a cross-functional effort involving multiple departments and stakeholders, including:
- IT security: To ensure timely and dynamic protection of data and systems.
- Risk management: To identify and assess potential threats to the organisation.
- Compliance: To meet regulatory requirements and industry standards. HIPAA and FISMA in the US, GDPR and the NIS2 Directive in the EU are some of the most prominent legal frameworks with explicit requirements on vulnerability management.
- IT operations: To manage the deployment and maintenance of systems (assets deployed across diverse and distributed infrastructures).
- Business units: To ensure that vulnerabilities or remediation efforts do not disrupt business operations or compromise customer data.
Ultimately, the responsibility for vulnerability management must be owned by the organisation’s leadership and assigned to the appropriate individuals or teams that have the resources and expertise to carry out the task effectively.
How the board can incentivise sustainable vulnerability management
In a nutshell, the board bestows the optimal conditions for the organisation to prosper, and the cybersecurity function is about protecting the organisation’s prosperity. Under that umbrella, vulnerability management addresses the weaknesses, mishaps (voluntary or otherwise) and anomalies that can negatively affect the organisation and its development.
Vulnerabilities are a continuing concern and can interrupt business operations, resulting in downtime, lost revenue, and lower customer satisfaction. Besides, failing to comply with evolving policies and legislation on vulnerability management can result in penalties and legal ramifications. It is thus a matter for the board to encourage sustainable vulnerability management.
So, here are a few ideas on how the board can encourage sustainable vulnerability management:
- Allocate resources. The board should approve the budget and resources for vulnerability management, including workforce, tools, and training. This investment will ensure that the organisation has the resources necessary to create and maintain a robust vulnerability management programme.
- Establish and foster goals and metrics. The board should make vulnerability management a performance metric for senior management and IT personnel. Establishing clear goals and metrics for vulnerability management ensures the topic receives the attention and priority it deserves. Goals and metrics allow fact-based decision-making and the reallocation of resources and time according to needs. Lastly, regularly reviewing progress and addressing challenges helps hold senior management accountable.
- Lead by example. The board should educate its members on the importance of vulnerability management, the risks associated with neglecting it, and the steps the organisation takes to address these risks. By doing so, the board also supports cybersecurity and business lines in meeting diverse regulatory obligations and avoiding penalties.
In conclusion, by prioritising sustainable vulnerability management, the board demonstrates a commitment to the organisation’s security and overall success.