It was 2003, and I was giving my first cybersecurity presentation at an industry conference in Chicago. I talked about the onslaught of worms and viruses at the time (MSBlast, SQLSlammer, etc.), and stressed the importance of strong vulnerability and patch management to the audience.
When it came time for the Q&A, an audience member summarized his predicament and posed a very poignant question: “We have thousands of vulnerabilities at any one time. How do we figure out which ones to prioritize?”
I responded with a generic answer along the lines of “prioritize based on known threats to your organization,” or “prioritize based on the business criticality of the asset.” It was accurate, but vague. Fast forward more than 20 years, and the audience member’s predicament and question still vex many organizations.
What has changed, however, is the scale of the problem. In 2003, enterprise organizations had thousands of active vulnerabilities. Now they face hundreds of thousands or more. Meanwhile, many organizations have the same challenges they did years ago — a lack of experienced staff, manual processes, misaligned goals between security and other teams (IT ops, software development), and more.
Since modern enterprises run on software, poor vulnerability management represents a serious business risk. So, how are CISOs modernizing their programs to improve risk mitigation? Over the past several months, I spoke to a dozen security executives to find out. While I have pages and pages of written notes on the subject, their answers boiled down to 10 best practices.
10 consistent best practices in managing vulnerabilities
1. Culture
Achieving a successful vulnerability management program starts with establishing a cybersecurity-minded culture across the organization. Many CISOs admitted to facing historical cultural problems, with one summing it up well. “Our cybersecurity culture was pretty laissez-faire until we got hit with Log4J and then a ransomware attack,” he told CSO. “These events were an awakening for the CEO and board. That’s when they hired me, adjusted the budget, and committed to doing what needed to be done.” Improving vulnerability management was a top priority in this cultural transition.
2. Documentation
Most CISOs agreed that all phases of vulnerability management should be well documented, assessed, and reviewed. This is an important admission that there is no quick fix to longstanding vulnerability management woes.
Rather, organizations must dig into each phase of the vulnerability management lifecycle, look for inefficiencies, devise strategies for improvement, and define the right metrics to measure progress. CISOs also understand that there is no endgame here, but having a dependable record encourages continuous iterative improvement in all phases, all the time.
3. Establish processes
Most of the CISOs I spoke with borrowed heavily from existing frameworks but customized them to their business, industry, and organizational needs. Once instituted, standard vulnerability management processes can be rolled out across an enterprise and monitored for continuous improvement.
One CISO mentioned that her organization has taken this a step further — following an acquisition, the security team has a canned program that will transform the acquired company’s vulnerability management program to fit its established model, complete with metrics to gauge progress.
4. Define what security data is necessary
To be clear, this isn’t a technology inventory exercise — at least not at first. CISOs assess what data they have and compare this to what data they need. Armed with this knowledge, they can then assign staffers to find technologies to fill the gaps.
5. Embed integration into vulnerability management
Once again, this is an academic rather than a technology project. It starts by looking into who needs what data and establishing where it comes from. Once individuals receive the right data, what do they do with it? Assuming all of this goes well, do data analytics trigger automated or manual actions? After mapping all the “goes into” and “goes out of” components, CISOs often bring in vendor partners for a look-see. The goal? Get them onboard with the necessary connectors, APIs, and data formats to turn design into reality.
6. Determine the right metrics for prioritization
This directly addresses the question posed to me in 2003. It’s also where vulnerability management meets exposure management, and it’s all about context. What is the business value of a vulnerable asset? Is a vulnerable asset on the attack path? Is there a compensating control in place? Has the compensating control been tested recently?
I know this seems like an obvious step, but the CISOs I spoke with have codified (or plan on codifying) this and more inputs into a customized risk-scoring system that anchors the whole enchilada.
7. Create SLA discipline
The prioritization hierarchy is married to strict service-level agreements (SLA) across security, IT, software development, and third-party risk management teams. Exceptions are rare. Many organizations also have formal review processes when teams miss SLA deadlines. Again, continuous improvement is required here.
8. Develop an emergency patching program
Events like Log4Shell and SolarWinds were wake-up calls, as many CISOs learned how unprepared their organizations were for this type of emergency event. This realization caused CISOs to create, staff, and test incident response plans designed specifically for these types of incidents.
As one CISO said, “While I was proud of how we responded to past events, several team members were burnt out for weeks, and we had a spike in attrition. Rather than rely on heroes, we needed a systematic program we could count on. I hope there’s no ‘next time,’ but if there is, we’re better prepared.”
9. Align goals, metrics, and compensation across diverse teams
Vulnerability management depends upon a cross-functional team with strong communication, consistent metrics, and common goals — this is the people part.
It starts with the commitment to a cybersecurity culture discussed above, but CISOs I spoke with also worked with CIOs, line of business managers, and human resources folks to create the right workflows, automations, reports, messaging, and even employee compensation benefits to motivate cooperation across disparate groups and individuals. Security becomes far more effective when CISOs regularly team up with CIOs to uncover bottlenecks and review progress.
10.Reinforce VM with continuous efficacy testing.
Years ago, I created an awkward acronym, SOPV, which stood for security observability, prioritization, and validation. The acronym never caught on, but the CISOs I spoke with have accepted (or are accepting) the notion of continuous security validation testing.
Of course, verification is one of the phases of the vulnerability management lifecycle, so what’s changed? Many firms have moved from periodic penetration testing to continuous security testing with new tools or managed services. MITRE calls this a threat-informed defense. In this way, organizations not only verify vulnerability remediation, but they also test controls efficacy and provide a blueprint for detection rules engineering.
CISOs had many other war stories and recommendations, but these 10 were fairly common regardless of organizational size, location, or industry. I’ll conclude by reporting on one other commonality: to use a frequent cybersecurity analogy, CISOs realize that strong vulnerability management is a non-linear journey, not a destination.
In other words, you are never finished with anything, but rather always looking to improve every step and individual task along the way. There is always a lot of work to be done, but that’s the reality when you’re protecting a modern enterprise.