Modern Vulnerability Management Part 3: Engaging Auto-Pilot
Share with Your Network
One of the odd things about risk is that it doesn’t mean the same thing to all people. We happily ride in cars almost every day, despite the fact that on a mile-for-mile basis, it represents one of the most dangerous forms of transportation. But many of us will get a weird feeling in the pit of our stomachs while waiting on the tarmac for our plane to take off, despite the fact that air travel is the safest.
In enterprise cybersecurity, vulnerability management faces the same challenge: what some people view as risky, others see as harmless. But unlike transportation statistics, most organizations don’t have data that allows them to rationalize and compare vulnerability risk on a level playing field.
Is there a definition of risk? Listen to the clip to find out
Finding a common language of risk
This leads to conflict between the security teams tasked with identifying risks, and the IT operations teams tasked with patching them. The typical organization has the capacity to patch just one out of every ten vulnerabilities on its systems. But when there is no way to talk rationally about risk, just about everything seems risky – and thus, there are demands to patch far more than the organization has capacity for.
In the previous blog post in this series, we talked about the ways data science can quantify the risk of vulnerabilities, giving organizations a common, data-driven language to discuss risk.
Companies can use risk-based vulnerability management to drive down risk across the organization. If you have a tool that identifies and quantifies risk, you can identify the riskiest vulnerabilities and prioritize them.
But modern vulnerability management goes even further, because it realigns the organization’s overall approach to risk by evaluating and measuring risk across the full IT stack. Modern vulnerability management accounts for every vulnerability, across every segment of the network, and uses data science to distill that information through a single, easy-to-understand lens.
Reducing conflict with modern vulnerability management
So let’s talk about what happens when an organization starts using the lingua franca of risk-based vulnerability management.
To begin with, the number of vulnerabilities that IT needs to patch declines dramatically. While organizations have the capacity to patch one in ten vulnerabilities, our research shows that just 5 percent of vulnerabilities present a true danger to the organization.
And that reduces conflict. Why? For one, there’s very little to argue about if data science is clear and transparent. With a holistic view of risk, everyone knows what the next best action is.
IT operations teams, for example, know which vulnerabilities they need to prioritize and why they should be the priority — they are looking at the same data the security team is looking at. Many Kenna Security customers adopt an IT self-service approach, with security teams providing oversight and handling exceptions.
In fact, I was speaking with the head of cybersecurity of a major financial institution recently, and he told me that he hadn’t logged into Kenna.VM in months. I was a little worried about the direction this conversation was taking, when he told me that their IT teams were logging in and proactively patching their own systems on a day-to-day basis. He just didn’t need to log in because he wasn’t really part of the day-to-day process anymore.
Making time for higher value initiatives
Modern vulnerability management isn’t just about making life easier for the security team. It is about reducing the amount of time that IT spends patching – and that means more time to devote to other, higher value initiatives. These are features of modern vulnerability management, but they aren’t the overarching theme.
By aligning the stakeholders around a common ground truth, it is possible to know exactly what the organization’s risk is, and to communicate that with board members, non-technical executives, and even regulators. When Kenna Security developed risk-based vulnerability management, a rational, manageable approach was the end goal that we envisioned. But as you’ll see in the next blog post, that wasn’t the case. Our customers exceeded our wildest expectations. As a result, we needed to adapt our product further to create a new stage of modern vulnerability management maturity.
To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.
