The answer is yes. Who is to blame? The finger should not be pointed at the CISO. Rather, it is a confluence of factors, not least of which is the influx of vulnerabilities in this shifting cyber risk landscape. It has created a domino effect on technology tools, information gathering, and decision making. More cloud services and technology tools have come into the fold, so information security keeps up with business demands. This begets more information and data parsing by security teams, and more meetings about other meetings taking place to make decisions on the information received. These points are echoed in the perspectives we contributed to the Cisco 2017 Midyear Cybersecurity Report.
CISOs have become one of the most important executive leaders in the C-suite, but their jobs are becoming more difficult based on the factors above. And it’s affecting their ability to keep their boards of directors properly informed about cyber risks. According to the National Association of Corporate Directors’ (NACD) 2016-2017 Public Company Governance Survey, almost one-quarter of boards are dissatisfied with the reporting that management delivers on cybersecurity. They report that the information they receive does not allow for effective benchmarking, is not transparent about problems, and is difficult to interpret.
This last part is most important. If people don’t know how to decipher the information they are looking at, how can they trust the organization is truly secure and properly mitigating vulnerabilities? This makes boards question the effectiveness of their vulnerability management, one of the most baseline components in a company’s overall security function.
Effective vulnerability management is fundamental to risk management. This is a core belief among every CISO, but the approaches and processes many have in place are not fully aligned with or responsive to today’s threat landscape or their company’s business risks. In the wake of WannaCry, NotPetya and the numerous incidents coming to light at the time of this post, now is the time to implement a more responsive and credible approach to vulnerability management built around four basic ideas.
- Continuously Protecting Assets is the Guiding Light, Not Compliance: A vulnerability management strategy’s core objective is not to meet compliance requirements. Just because you’re compliant does not mean your company is secure. Above all else, vulnerability management needs to keep pace with the business and ensure it is protecting the data and assets valued most to the company. This requires a sound asset management strategy focused on continuous monitoring and asset tracking to expose vulnerabilities that have the greatest impact on business functions and customer data.
- Agree Upon a Common Language: The meetings about meetings are a common occurrence when stakeholders communicate risks and vulnerabilities in different lingos. The pace of business today requires senior decision makers to speak in the same terms—business impact terms—when identifying and remediating vulnerabilities. A common language centered on clearly communicating a vulnerability’s business impact is crucial to sustaining a credible vulnerability management program.
- Strive for Integration: CISOs are on information overload with the number of tools entering their security arsenal year after year. According to Cisco’s 2017 Cybersecurity Report, many CISOs are frustrated with the tools and systems’ poor compatibility. This has all the makings for vulnerabilities going undetected if there are limitations with tool integration and information sharing. Prioritize tools that embrace integration.
- Don’t De-prioritize Blocking and Tackling: If there is anything the latest ransomware incidents taught us about vulnerability management, it is not to overlook basic patch management blocking and tackling. Microsoft issued a patch for the EternalBlue vulnerability back in March. Prior to WannaCry, many knew this was one of the more significant vulnerabilities seen in recent years. There was sufficient time to act, but numerous companies didn’t make patch management a priority. And those firms who did not take rigorous action to properly patch after WannaCry fell victim to NotPetya when it swept through. Vulnerability management has no value to the business without rigorous response.
These basic ideas are not only applicable to a company’s vulnerability management program but carry over to and should influence the overall direction of the cyber defense strategy. The threats we talk about today will look drastically different months from now yet CISOs should not lose sight of the fundamentals as they evolve their strategies and articulate to their boards how they’re changing course to protect the business environment. Embracing the basics will ultimately win the day and see CISOs maintain their seat at the table.