A CISO’s Adventures in Vulnerability Management

When I ran security at Orbitz, reporting on risk was always a challenge. My vulnerability management team wanted to ensure that we had a clear way to paint a picture of the organization’s overall exposure to risk—as well as describe the actions we had taken, month by month, in order to reduce it.

But frankly, we weren’t very good at it. The tools we had available to us didn’t equip us with a sufficient ability to see, measure, and monitor our risk landscape. Like so many other companies, we were forced to  play the numbers game and fall back on reporting on the sheer volume of vulnerabilities we addressed.

Fast forward several years, and I can see that little has changed. When I talk to companies, I find that reporting on vulns closed—rather than taking a more strategic view of risk—is still the primary modus operandi. It’s not unusual for companies to juggle multiple spreadsheets because they’ve maxed out the number of rows allowed within a single Excel file. And this is a problem.

According to Gartner, 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident. “The top issue in vulnerability management is that organizations aren’t prioritizing their patching and compensating controls to align to vulnerabilities targeted by threat actors,” says Craig Lawson, research vice president at Gartner.

We all know that prioritizing vulnerabilities isn’t easy. That’s why organizations play the numbers game. The more vulns you close, the more likely you are to close the right ones, right? Except we also know that’s not the case. No one is sleeping better at night based on the number of vulnerabilities you closed last month.

But what if you could automate the process of ranking and prioritizing vulnerabilities? You could begin to understand and reduce your organization’s true exposure to risk. You could finally ditch those cumbersome spreadsheets and move towards an approach where you’re evaluating exposure to risk, rather than counting beans (or vulnerabilities, as the case may be). The appropriate arranging of assets, an integration of those assets with external exploit intelligence, and a clear, simple reporting metric could all be used to paint a picture of risk that even the most non-technical person on your board can easily understand.

For 2018, we’ve updated our white paper that explores this very topic and explains how organizations can measure, report on, and actually reduce vulnerability risk. It’s not as hard as you think. So download the white paper and prepare to say goodbye to your spreadsheets!