Five Requirements for Effective Cyber Risk Management

Feb 27, 2018
Sam Osborn

Share with Your Network

When it comes to vulnerability management, it’s all about quality not quantity. It doesn’t matter how many vulnerabilities you closed last month if you left open the one high risk (high quality, if you’re an attacker) vulnerability that will grant malicious actors access to sensitive data.  

According to Gartner, zero-day vulnerabilities will play a role in less than 0.1% of attacks, excluding sensitive government targets, through 2020. That means the vast majority of attacks will exploit vulnerabilities that could have been patched but weren’t.

Pouring through spreadsheets and creating 500-page PDFs isn’t just inefficient; it’s simply no longer enough to ensure that the right vulnerabilities are addressed at the right time. The increase of automated attacks means that security teams need to strive to make their own practices as precise and metric-driven as possible.

To help security organizations get a jump start on this problem, we’ve created a new white paper that explains the five requirements for effective cyber risk management. Here is a quick preview to help you start thinking about what you need to identify high-risk vulnerabilities and prioritize vulnerability remediation efforts.

Requirement #1: Know Your Assets

Do you know where all your assets and applications are? What is your current assessment coverage? How do you discover new threats?

Requirement #2: Know Your Business

Are you performing threat modeling? What threats exist to your business? Are you a target?

Requirement #3: Know Your Current Risk Posture

Where are your security weaknesses and vulnerabilities, and which ones are the most likely to be exploited? How do you determine likelihood and impact?

Requirement #4: Know Your Resource Constraints

What can you get done with the resources you have? Are you accounting for budget, time, and people?

Requirement #5: Know Your Direction

Are you reducing risk over time? Given the previous four requirements, what is an achievable goal for risk reduction?

Bonus: Know What’s Coming

Are your vulnerability management efforts maturing beyond proactive to being predictive? Can you determine which vulnerabilities will become high-profile targets?  

If you aren’t able to answer all these questions, don’t worry; you’re not alone! Many organizations are still slogging their way through spreadsheets and cumbersome reports. But there is another way, so check out the white paper to learn how you can answer the questions above and establish a cyber risk management program that focuses on quality not quantity.

Get your copy of Close What Matters: 5 Requirements for Reducing Vulnerability Risk

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.