Making the Business Case for Modern Vulnerability Management
Share with Your Network
Security operations are growing in importance and urgency for many industries and high-profile entities. The latest PwC survey uncovered that 47% of CEOs worldwide consider cyberthreats a top business concern. In North America, that number is 69%. And yet the percentage taking significant steps to address these concerns is surprisingly low–just 31% globally.
The reason could lie in the gravitational pull of existing processes.
Many companies still rely on old-school, traditional approaches to managing security. This is especially true for vulnerability management, where teams are often so entrenched in their manual, laborious processes that it almost feels harder to implement a new approach than to continue existing methods, even if they’re far less efficient than new ones. Meanwhile, finite budgets must be stretched to meet the demands of all business-critical efforts. Layer in the intricate complications that remote work has created, and that equates to systems and solutions that don’t fully serve the people and data they’re trying to protect, perpetuated by a lack of motivation to make meaningful changes.
As it happens, security leaders face common hurdles in their quest to make smart security matter to their leadership.
Prioritizing simplified, unified security
You may know that leveling up your vulnerability management solutions is the way to future-proof your security operations, but you may also feel that this data-driven, predictive vision stops with you. That’s a short-sighted view, however. More effective and efficient risk remediation can be realized if you can make a winning business case for it.
Unpacking the “why” for any request or proposal is essential to making Security initiatives matter to executives and board members who don’t speak CVE. Framing your vision in terms of increasing business value and lowering business risk will assure stakeholders that you are partnering with them to help the business succeed. If this argument lies at the core of your proposal, terms like “ransomware” or “security operations” won’t cause their attention to wane.
3 key arguments to bolster a modern vulnerability management proposal
Here are the three key areas to shape your argument for adopting a modern vulnerability management strategy.
1. Frame it around risk. Business risk can often resonate when cyber risk doesn’t. Communicating the potential risk of maintaining a traditional vulnerability management solution–and worse, the potential risk of a breach–can gain buy-in. Traditional vulnerability management solutions are typically trapped in spreadsheets, bogged down with too many vulns that are falsely classified as critical, and can cause unproductive friction between Security and IT teams. This environment increases the likelihood of missing a truly dangerous vuln that ends in exploitation.
Effective vulnerability management prioritizes vulnerabilities by risk, specifically the risk they pose to your organization. Data-driven, risk-based vulnerability management is powered by data science, machine learning and enhanced real-world threat and vulnerability intelligence to not only paint a more accurate picture of your risk profile but predict which vulnerabilities are most likely to be exploited. Some leading vendors have such fine-tuned, calibrated models that they can predict weaponization with up to 94% accuracy, helping you dodge potentially crippling attacks.
When shopping for your vulnerability management vendor, look for solutions that offer the ability to account for your organization’s own appetite for risk as well as environmental factors such as assets and applications present and how critical they are to the business. Combined with advanced data science and enhanced intelligence, this allows you to not only predict what might be exploited but what might be exploited in your environment on your asset, empowering you to better understand the potential impact, make a more informed prioritization decision, and lower your overall risk profile.
Need additional resources on this? Tune into this episode of Security Science, hosted by Kenna Security: Reporting Risk to the Board.
2. Emphasize ROI. A “spray and pray” approach is not only ineffective, it’s costly. Traditional vulnerability management methods that have a “fix everything” mentality can overwhelm teams with too many vulns and not enough hours in the day. Remediation effort is spent on vulns that might not actually be dangerous, while truly dangerous vulns can get lost in the shuffle. This creates a drain on time, money, and effort (and ultimately, efficiency).
But if teams could access a list of data-verified action items that represented the highest risks to the company, remediation can be swift and decisive, with both Security and IT working toward the same common goals. Less time spent on vulns that don’t move the needle means more time dedicated to more strategic efforts.
Need some compelling stats? Hit them with this fact: Research shows that 2% to 5% of your vulnerabilities will be exploited, but CVSS-based approaches can assign as many as 40% of all CVEs a score of 7 or higher.
For a deeper dive, download a copy of The ROI of Effective Vulnerability Management.
3. Drive democratized security. Top vulnerability management solutions offer simple and intuitive interfaces which can help curb the difficulty created by increasingly complex environments. A new wave of intelligent, automated security technology is inviting more people to become active participants in the company’s cybersecurity efforts.
These self-service solutions negate the need for vulnerability management or reporting gatekeepers, freeing stakeholders, board members, and users without technology backgrounds to access the data and relevant KPIs they need, when they need them. A more comprehensive understanding of the company’s cyber risk can be adopted across departments, creating advocates for healthier cybersecurity practices and champions for risk reduction.
Risk scores offer a powerful use case of simplified, democratized security. Taking the idea of vulnerability scores a step further, risk scores determine the specific risk a vulnerability can pose to an organization based on external threat and vulnerability intel, exploit data, and the company’s own risk tolerance, yielding smarter and more accurate prioritization. A simple and easy way to communicate risk to anyone, risk scores often lend themselves to friendly competitions between remediation teams see who can achieve the lowest score of them all.
To learn how democratized security can help inform bigger cultural changes, check out How to Build a Cybersecurity Culture.
Get the conversation started—we’ve got what you need
These can be tough endeavors, made more difficult by lack of time, a laundry list of other priorities, and conflicting goals. However, given the new normal the cybersecurity landscape is settling into, these conversations can’t wait.
To help get the ball rolling and shape a winning argument for simplified, modern vulnerability management, here are a few helpful resources to pull from:
- [Podcast] How CIOs Get Things Done: Collin Boyce, CIO for the City of Tucson, on turning impossible ideas into real projects that achieve meaningful results
- [Ebook] How to Implement a Risk-Based Vulnerability Management Approach
- [On-demand education] Kenna Katalyst
- [Ebook] Seven Round Smackdown: Why New-School Risk-Based Vulnerability Management Beats Old-School Traditional Vulnerability Management