Vulnerability Risk Management: Making the Move beyond Compliance

Information security professionals have a single core mission: to understand technological risks and take the necessary steps to protect information assets from harm.  Yet many organizations get caught in the “check the box” compliance mentality trap and find it difficult to make their way out.

We have been through numerous exercises and built multiple secure layers to defend our digital borders from no-good doers seeking to steal our crown jewels and wreak havoc on our organizations.  We have implemented and followed strategies, frameworks, roadmaps and standards that offer recommendations for robust risk mitigation solutions.  But in the end, we are still getting hacked.

We have installed SIEMs, firewalls, IDPs, vulnerability scanners, malware and virus detection, authentication, identity and access management systems, data loss prevention technology, encryption, sandboxes, anomaly detection tools, phishing and spam prevention.  We have conducted training and raised security awareness throughout the organization.  All this, and we continue to see daily headlines about data breaches.

We have accelerated our speed to detection, third party reviews, due diligence on mergers or acquisitions.  Despite this, we still see threats that have remained in our infrastructure for hundreds of days.

We have attempted to put in dashboards, consolidated reporting tools, and identified KPIs and other metrics to measure success.   Yet, we still have failures.

So how do we begin to even start figuring out what is going wrong?

We are trying to fight a guerilla war through a process of attrition.  I am sure that our military experts are either rolling their eyes or laughing really hard at me.  But it is evident that we are missing many things.  I can’t even mention all the things that we might want to try, starting with an isolationist mindset to just doing it better.

As someone who has sat in the role of CISO for many years, I can offer a variety of perspectives.  Yet, one view which is so simple, and so often overlooked, is to strengthen our “trust” model to include inspection and visibility. We need to start with answering three simple questions:  What are we doing, are we doing it right and are we doing what we say we are doing?

Vulnerability risk management is one of the fundamental security programs that organizations of all sizes practice.  But what are we doing, and are we doing it right?  We brought in scanners to detect vulnerabilities because that’s what regulations like PCI, FFIEC, HIPAA and others told us we needed to do.  We prioritized vulnerabilities based on the CVSS score framework.  We started to remediate based on industry standard guidance.  But has this made us more secure? Perhaps somewhat.  This is what we are doing today, but are we doing it right?  If we were doing it right, why is it still taking organizations 103 days to remediate critical flaws in their infrastructure?

But how do we even measure success?  What is the baseline for remediation we should be looking to achieve?  These are the types of questions we should be moving towards answering.  We need to work on figuring out how to do it right, and only then can we establish a benchmark for continuous improvement and achieve success as an industry.

This is just one example of many we can point to as we continue on our journey to minimize risk and protect our information assets.  We continue to let security be driven by compliance and frameworks and standards.  “We have remediated all vulnerabilities above a CVSS 6,” is likely being uttered by a security manager or analyst tasked with PCI compliance at this very moment.  Instead, we should be saying, “How much risk have we actually mitigated?” Until we fully embrace an approach that enables real reporting of risk reduction, we might as well just leave the door open for hackers and willingly invite them inside.

Arnold Felberbaum is a guest blogger for NopSec and author of this article.  Mr. Felberbaum has decades of experience as an information security executive and practitioner.  Most recently, he served as the Chief Information Security Officer at Reed Elsevier.  Mr. Felberbaum is a strategic advisor to NopSec and serves as an Adjunct Professor in Information Security at NYU Polytechnic School of Engineering.