I try to keep the registration-wall PDFs down to about once per quarter. This one from Splunk is a CISO Report from which I wanted to grab just a handful of sentences from.
The report tracks the difference in priority between CISOs and Boards for various security factors. Four items stood out for me. The report ranks them in order of disparity (although the difference in these is at most 4%):
- “Percentage of systems with up-to-date patches”
- “Mean time to respond or remediate (MTTR)”
- “Average time it takes to patch a vulnerability”
- “Number of vulnerabilities identified”
There's also one more sentence that caught my eye, “A significant percentage of CISOs in technology (42%) cite vulnerable systems that were unknown, unmanaged or misconfigured.”
I've been repeating lately how appsec is too preoccupied with vulns, especially the volume of known vulns (i.e. CVEs) in dependencies. I won't try to build an entire case out of that single sentence, but I do think it speaks to the importance of asset management and the opportunity cost of appsec taking up the time of developers to patch low-risk vulns at the expense of more strategic work like asset inventories.