Without Risk-Based Prioritization, Security Resilience Will Be Elusive

One of the difficult truths about present-day cybersecurity is the perimeter as we’ve known it for the last few years has vanished. A tidal wave of connected devices and continued remote work demands have blurred the lines of our traditional environmental boundary, widened attack vectors, and expanded attack surfaces. Everything is connected—and everything is a vulnerability. 

And for anyone still holding out for the cybersecurity days of yore, recent findings offer a definitive argument that those days are long gone. 2021 ushered in staggering volumes of new CVEs, totaling 20,175 by the end of the year. This rise in vulnerabilities caused a foundational shift in thinking across the security industry, resulting in entities like the Cybersecurity and Infrastructure Security Agency (CISA) establishing new best practices for organizations to focus their remediation efforts and resources on active exploits.  

Another sign of the times can be found in the latest research conducted by Kenna Security (now Cisco) and the Cyentia Institute. The most recent edition of the Prioritization to Prediction (P2P) series reveals nearly all assets—95%—house at least one highly exploitable vulnerability.  

Enterprises are reading the writing on the wall and taking swift action to evolve their security operations, protect their business, and respond to changes confidently. And security resilience is lighting the way.  

Why risk-based prioritization is instrumental to achieving security resilience 

Security resilience offers a powerful antidote to the unpredictability shaping our current landscape. Organizations are empowered to better protect and defend their environments and respond with agility when exploits occur. Even more crucial, security resilience buoys other investments within different branches of the business, including financial, operational, supply chain, and organizational.  

Like most any operational state, security resilience is a multi-faceted effort with many crucial levers engaged at once. But as industry pundits have proven in recent years, a risk-based approach to security operations and vulnerability management is paramount to long-term success. Risk-based prioritization enables teams to effectively and efficiently pinpoint the truly sinister vulnerabilities amidst the rising tide of threats. 

A risk-based take on the five dimensions of security resilience 

To understand exactly how resilience hinges on risk-based prioritization, let’s take a deep dive into the five dimensions that make up security resilience through the lens of risk. 

1. Close the gaps. This concept often refers to eliminating data silos that hamper security operation workflows and, ultimately, keep organizations from realizing security resilience. However, we will expand that idea to include intelligence—or lack thereof. Making informed and data-driven vulnerability management decisions are stymied without mission-critical context or real-world threat intelligence. Closing these intelligence gaps will help teams and security leaders make meaningful risk-reducing moves faster and with greater precision.
2. See more. With an increasingly complex and expanding environmental footprint, you have more to monitor and maintain. The demand for 360-degree visibility is at an all-time high, especially in light of the recent P2P findings. Ensuring you can surface high-risk vulnerabilities from every corner of your environment to properly prioritize and remediate them is crucial.
3. Anticipate what’s next. Security resilience enables organizations to recover from attacks, but it also helps them gauge what’s coming down the pike. Top vulnerability-management vendors offer highly calibrated models with baked-in risk-based threat assessment and machine learning-driven analysis that help teams predict the next exploits before they become a reality.  
4. Prioritize what matters most. With an endless wave of threats bearing down on your business, it’s easy to see why teams think more remediation will reduce more risk—but the data tells a different story. Kenna Security (now Cisco) and the Cyentia Institute recently determined that around 4% of vulnerabilities present in any given environment pose a real threat. And companies that adhere to a risk-based approach gain significant ground in reducing risk over time, particularly when prioritization decisions take exploit code intel and real-world exploitation activity into account.  
5. Automate your response. An integral aspect of top risk-based prioritization platforms is determining the remediation actions teams need to take (and not take). Freeing teams from laborious vulnerability management tasks characteristic of traditional approaches allows them to trust a single source of data-backed truth. Security and IT can perfect their response strategies and operationalize their vulnerability management programs around risk. 

A risk-based vision of resilience 

Analysts identified risk-based prioritization as a critical component of any modern organization looking to future-proof their security operations, but they’re not alone. Enterprise solution providers are working to ensure their offering can check the risk-based box. But none have tackled the foundational work needed to achieve this goal like Cisco.  

Cisco is leading the charge to redefine the future of security operations and risk management, outlining a vision of simplified security operations and resilient enterprises. And teaming up with Kenna Security was critical to realizing this goal. Bolstering Cisco’s security suite with Kenna Security technology and data science expertise will empower teams with up and down telemetry, the world’s largest shared threat intelligence, and contextualized prioritization in one comprehensive, robust threat and vulnerability management platform.  

Organizations can extend a risk-based approach beyond vulnerability management to tap deeper into their security resilience and align around risk. 

Ensure you have what you need in place to emerge confidently and securely against anything the future might throw your way. Read Building Security Resilience: Stories and Advice from Cybersecurity Leaders to glean expert takeaways for future-proofing your security.  

This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.