A CISO’s Guide to Making Vulnerability Management Matter to Your Board (Part 2)
Share with Your Network
This is Part 2 of our CISO’s guide blog series. Part 1 discusses communicating cyber risk to the board.
It’s a rare board member who gets really excited about vulnerability management. The topic of assessing your host, network, and application vulnerabilities and strategies to remediate them is likely to cause most directors to look for the door.
Sure, vulnerability management is important, they acknowledge. Just not at that altitude.
That is unless you approach vulnerability management from the perspective that every board member cares about deeply. I’m talking about risk.
Every board member cares about risk. A Deloitte study found that risk was the No. 2 priority for board members and corporate secretaries. Boards spend a lot of time weighing the potential impact of exposures to their business. In fact, this is a big part of their role.
The challenge for CISOs, though, is figuring out just how to breakthrough. Because just reporting about the number of closed vulnerabilities probably won’t get them interested and nor should it.
I’ve written before about how my own experience running security for Orbitz gave me firsthand experience with the challenge of reporting about vulnerability management to our board of directors. We knew they cared about reducing risk, but we lacked the tools and insights we needed to show how we were reducing the risk caused by cyber threats. So we talked about closed vulnerabilities and walked them through some god-awful excel-driven severity matrices as they patiently waited until something more interesting came up.
How to engage the board
So how do you build on the progress you’re making in the vulnerability management realm and shape it in a way that interests and engages your board? Do these three things.
1. Understand the criticality of your various asset inventories and application portfolio. For example, you may know that a particular asset contains all of your highly sensitive customer or regulated data—whereas another group of assets is a set of workstations containing code for internal conference room booking, that’s not actually important or sensitive. If both of those assets have the same likelihood of a security event, you want to focus on the one with the most impact on the business, and prioritize the vulnerabilities in that environment first. Side note: Just remember that during this exercise, it’s important to understand the value not only to your business but also to the attacker. A frequent example I like to use is your public-facing website. This site may contain only marketing material about your company and all data is completely public, therefore confidentiality, in this case, isn’t a big concern. However, this same website is visited by millions of your customers and prospects every month. If an attacker exploits a vulnerability to upload malware to your site, your application can suddenly be used to attack your customers and prospects.
2. Determine a true risk metric. Once you have arranged your environment to represent some degree of importance and potential impact to the business, the real work begins: you need a true metric to measure risk. As I’m sure is clear by now, reporting on the number of closed (or open) vulns is the wrong metric to choose. What you need to do is bring together your assets and applications with intelligence on what’s happening “in the wild”— in other words, what activity increases the likelihood of an event? Whether it’s poor password policies, misconfiguration issues, or critical vulnerabilities that are actively being exploited either through targeted attacks or targets of opportunity, it’s this real-time context that suddenly turns a simple number into a story that even a “normal” (or board member) can understand.
3. Report on this metric repeatedly, and over time. Day to day, month to month, quarter to quarter. Metrics are made to be tracked, and you need to track your progress and map it to your goals.
- The metric you report to board members needs to be simple, understandable, and repeatable, showing historical trends.
- Here’s where we are
- Here’s where we’re going
- Here’s how we’re getting there
Don’t forget you’re telling a story. Be sure to describe the journey, what it’s going to take from a cost and resource perspective to reach your goals, and how you’re going to get there. Map these goals to the goals of the business and align the two.
Manual vs. Modern Vulnerability Management
Following these general guidelines, you can create the reporting environment you need without a Modern Vulnerability Management platform like Kenna Security. But that’s a heavy lift for most security, operations, and dev teams. Doing this manually is time-consuming and painstaking.
Kenna automates and operationalizes much of this process: It takes into account internal and external assets along with external threat intelligence from 20+ individual sources, and then uses data science (including machine learning and natural language processing) to predict which vulns are likely to be exploited, giving you the critical context you need to assess the potential impact of each vulnerability on your particular organization. The result is actionable security intelligence based on a data-driven assessment of the risk.
Kenna’s dashboards also incorporate an intuitive Risk Meter that can be assigned to different asset groups and applications (hosts, network, applications, etc.) so anyone can quickly ascertain the relative risk posture of your organization or certain aspects of it. And for reporting your risk reduction progress over time progress, simply choose to display a trendline of risk—superimposed against vulnerabilities, just in case you can’t live without that number—and create a report that is truly board-ready.
As leading analysts have acknowledged, taking a risk-based vulnerability management approach is efficient, effective, and (when it comes to board reporting) powerful. Imagine having the conversation where you explain that vulnerability counts are going up, but the overall risk is going down—since the team is remediating the vulnerabilities that represent the greatest risk to the business, rather than chasing the latest high-profile (but low-risk) vuln or closing a mountain of non-critical vulnerabilities that actually pose no threat to you. That non-intuitive yet illuminating trendline is far easier to attain if your yardstick is risk rather than the usual numbers game.
At Kenna, we find that presenting a trendline of risk sparks important conversations. People begin to understand the company’s past trajectory and future path. And it becomes much easier for CISOs to discuss budget allocations to help support critical aspects of the business that still may be exposed to risk.
Explore how focusing on risk helps you align everyone — from security teams to board members — around a Modern Vulnerability Management approach.
*The post appeared first on Kenna Security on January 11, 2016, and was updated and republished on September 14, 2021.