This month marks the fifteenth anniversary of National Cybersecurity Awareness Month. While NCSAM originated as a campaign by the U.S. Department of Homeland Security and the National Cyber Security Alliance to help educate and keep consumers safe online, it has evolved into something much bigger.
It’s incumbent on everyone – individuals and organizations of all sizes – to be vigilant about cybersecurity. There’s a lot that depends on this vigilance, ranging from protecting our health records and bank accounts, to our national elections and critical infrastructure. More and more, cybersecurity has the potential to impact the well-being of people all over the world.
When it comes to enterprise security, AI and machine learning-based detection and response technologies have surged in popularity in recent years, promising organizations total security and the ability to “stop hackers in their tracks.” For Cybersecurity Awareness Month this year, there will no doubt be a lot of attention paid to these emerging technologies that can and will continue to have a positive impact on personal and organizational security.
The truth is, though, there’s another area of cybersecurity that deserves just as much, if not more attention: vulnerability management. In most cases, unpatched software vulnerabilities are causing the never-ending slew of data breaches. Untended vulnerabilities have single-handedly caused some of the most high-profile, global data breaches in recent years, with the 2018 Equifax hack and 2017 WannaCry disaster serving as prime examples. Lest organizations assume they’re immune to the effects of untended vulnerabilities due to their size or industry, research from the Ponemon Institute found that nearly 60% of data breach victims between 2016 and 2018 cited a known, unpatched vulnerability as the attack culprit.
Digital Transformation Initiatives Complicate Vulnerability
Making untended vulnerabilities even more damaging is the fact that digital transformation is taking hold across the majority of organizations, with 79% reporting that they have digital transformation initiatives underway. To remain relevant and bolster the bottom line, software has emerged as the lifeblood of almost every business across the globe. But this increased reliance on technology has introduced a broader set of cyber risks that must be managed.
Digital transformation initiatives force organizations to rely on faster development and delivery of new software capabilities to serve customers, enable partners and empower employees. However, in the rush to accelerate delivery of these new capabilities, security often becomes an afterthought. Organizations aren’t taking the time to properly scan and test software for known vulnerabilities, usually because they haven’t yet figured out how software development, IT operations and security teams can most efficiently work together to ensure speed and security. Until this cultural shift takes place, the massive risks created by deploying code with known vulnerabilities will continue to be a challenge.
Effective Vulnerability Management Is the Foundation of a Strong Defense
Given the ubiquity of untended vulnerability-induced data breaches and the additional security challenges digital transformation creates for almost every organization, it’s time to start raising more awareness around the impact that effective vulnerability management can have on an organization’s overall security posture. That said, creating an effective program is easier said than done. Managing and acting upon the hundreds — if not thousands or hundreds of thousands — of vulnerabilities that surface on a daily basis can feel like an insurmountable task. With the sheer volume of vulnerabilities and an inability to manage the myriad of overlapping scanning tools needed to detect them, it’s not surprising that organizations remediate as little as 10 percent of vulnerabilities. And, that may be OK – because not every vulnerability or risk can be addressed. It’s simply impossible.
If you can’t address every vulnerability, where should you start? The key to conquering vulnerability management is taking a measured, risk-based approach. Prioritizing vulnerabilities based on the risk they present to an organization is the best and quickest way to improve security. This involves taking the time to identify an organization’s most important assets and understanding how and when they are impacted by the constantly changing vulnerability landscape. After applying the proper scanning tools throughout the software development lifecycle – from code commit, to build, to deployment – an organization can determine which vulnerabilities are most critical and ensure resources are being applied to remediate them quickly.
Another important benefit of such a risk-based approach is that it provides board and executive-level visibility into an organization’s security posture. When presented right, knowledge about which vulnerabilities exist in an environment, how critical these vulnerabilities are, which ones impact the most important assets, and where they sit in the list of priorities for remediation offers an extremely detailed gauge of an organizations risk exposure.
At the end of the day, more efficiently managing and remediating vulnerabilities based on the risk they pose can have a dramatic impact on an organization’s overall security. Implementing practices like this further upstream in the security process will ultimately reduce the number of breaches and incidents an organization has to fight downstream. Creating an environment with fewer vulnerabilities for attackers to exploit will make life easier for security teams and the fancy AI-powered detection and response tools they rely on. And that’s a better outcome for everyone.
John Worrall is CEO of ZeroNorth.