Instant Risk Reduction Recommendations to Align Priorities with IT
Snow flurries were a welcome change in New Jersey from last month’s high gust winds. I often multitask my dog walks to start my morning as productively as possible. My marketing colleague Sule joined me and picked up a greek yogurt from Panera. On our short walk back, we figured out what’s most important for today’s offsite, while stepping over recently fallen branches. Sule, and I were pumped to get started when we arrived back – my dog was ready to nap. This instant feedback loop enabled me align priorities across teams, and this holds true in Vulnerability Management with InfoSec and IT.
Competing priorities between InfoSec and IT
InfoSec teams have their own priorities often guided by overarching VM goals. Two goals in enterprise vulnerability management are:
- Reduce risk by reducing most critical vulns or assets (Gartner Report Recommends a Vulnerability Management Process Based on Weaponization and Asset Value)
- Reduce risk by reducing attack surface (The Attack Surface Problem)
The outcome for either of the above is a list of vulnerabilities.
IT teams prioritize by business revenue or functionality that is needed by their customers right now. This often means developers work on a subset of their application portfolio at any given time. The outcome for this is a list of applications that worked on that change from sprint to sprint.
The priorities of InfoSec and IT often do not align, requiring back and forth. This can be very expensive, especially if InfoSec brings a set of vulnerabilities that are untimely for the IT team, forcing InfoSec to identify a new set of vulnerabilities.
The Cost of Misalignment
Let’s go through the first goal as an example. Reducing the most critical vulns or assets requires the following steps – I’m abstracting here, folks.
- Identify vulnerabilities that are aligned to your remediation or patching schedule – takes minutes
- Identify the most critical vulns – takes minutes
- Correlate against business asset values – takes more minutes
- Correlate against threats – takes more minutes, more if threat intel needs to be refreshed
The combined steps above take about an hour at best to do manually. About the same amount of time applies for reducing risk by maximizing attack surface.
In a manual process, almost all these steps are repeated for each alignment. The reality can be further delays as these conversations tend to require synchronous conversations between two independently overloaded teams.
Align through instant feedback loops
By automating the manual steps, IT and InfoSec can have instant collaboration. This means one conversation to create a joint commitment that aligns to both team’s processes. This results in:
- Instant partnership with IT to reduce risk. InfoSec values IT’s team by responding to them immediately.
- Save time figuring out what to do, and work on higher priorities
- Reduce the biggest risk that is aligned to your InfoSec goals: attack surface or actual risk
Unified VRM provides the above benefits with its latest release by automating the manual steps to enable to reduce risk by reducing most critical vulns or assets and reduce risk by maximizing impacted attack surface.
Improve My Risk Score Recommendations
The Improve My Risk Score feature will highlight the best route to improving your risk score. On the dashboard it will show the number of vulnerabilities that can be remediated to improve your score to the next letter grade. Drilling into it will lead to an exact list of those vuln instances, including the information about the assets they are on.
Reduce My Attack Surface Recommendations
NopSec’s Reduce My Attack Surface feature will allow you to identify the most important vulns to focus on. It will highlight the most critical and prevalent vulnerability in the environment. That vulnerability will be the one with the worst risk score that can be found on the highest number of critical assets
Share your thoughts in our community!