What New Findings Offer Security Professionals in the Race Against Risk
Share with Your Network
High-profile breaches may generate headlines, but even more insidious, under-the-radar attacks are slowly earning attention—some at great cost to those writing the headlines. Journalists themselves are discovering they are targets of social engineering attacks, organizations are uncovering glaring vulnerabilities introduced by employee side hustles, and hackers are launching attacks by mimicking business-critical applications like Adobe Acrobat.
Now add in IT supply chain intricacies, growing connectivity, and environmental complexity, and nation-states emerging as the new face of threat actors, and a discouraging landscape emerges. The world is changing quickly, and security leaders are taking action to try to keep pace. The name of the game isn’t to outrun the next big attack but to respond to it, survive it, and emerge stronger from it.
Gartner recently revealed a handful of sobering predictions, one of which conveyed a stark forecast for the future of cybersecurity and the world at large. By 2025, Gartner predicts that 70% of CEOs will institute organizational resilience to weather increased cyber-attacks, climate change, and global unrest.
Even without a crystal ball, it’s safe to say the strategies that carried the security world into this era won’t be those that carry us forward.
In the race against increasing risk, recent findings point to potential paths forward.
Spurred by an increasingly unpredictable climate, the Enterprise Strategy Group surveyed 398 security and IT professionals to get a sense of common challenges, goals, and solutions taking place in the wild. These survey results, presented in ESG’s Security Posture and Hygiene Management report, offer a deeper understanding of hurdles preventing teams from harnessing powerful tools like machine learning or exploit prediction. It also provides a glimpse into how organizations manage in the face of increased risk and security complexities.
Enterprise Strategy Group Senior Principal Analyst and ESG Fellow Jon Oltsik and Co-founder and CTO of Kenna Security Ed Bellis recently met to discuss these survey findings, talk about what’s holding businesses back, and share what teams can do to upgrade their environments and vulnerability management strategies to meet today (and tomorrow’s) evolving landscape.
Do these sound familiar? You’re not alone.
The ESG survey underscored some common setbacks plaguing Security and IT teams across North America. And while it seems like a disheartening practice to highlight areas needing drastic improvement, it’s paramount to understand where the gaps are that need the most attention and resources.
You’re sparring with spreadsheets. An overwhelming 73% of survey respondents admit to still relying on static, cumbersome spreadsheets to help manage pivotal aspects of their security operations. This is a significant problem, according to Oltsik. “Anytime you’re using spreadsheets, what does that mean? It means you’re asking people for data, you have to put it in a spreadsheet, you have to normalize the data, and you have to de-dupe the data. And that’s just to understand what the data says, not even to reach any decision point.”
You need to reach that point faster than ever before. With attacks picking up in severity and frequency, security leaders need near real-time insights to be as decisive and strategic as possible. Spreadsheets are anything but real-time.
CVSS still holds sway. Another important indicator that an organization needs a vulnerability management overhaul is a dependency on CVSS scores to inform vulnerability prioritization. The eighth volume of Prioritization to Prediction (part of a joint research effort with Cyentia Institute) measured the effect of vulnerability prioritization strategies on organizational exploitability. CVSS scores ranked near the bottom of the pack, virtually tying in terms of effectiveness with the questionable practice of remediating vulnerabilities at random. These two strategies—CVSS prioritization and random remediation—performed marginally better than taking no action at all.
Why? CVSS-based strategies designed to remediate everything above a certain threshold (say, CVSS 7.0 or above) don’t account for the unique impact a vulnerability might have on a specific organization, its business-critical assets, or its appetite for risk, and its desirability as a target. “Adversaries aren’t looking at CVSS scores,” explains Oltsik. “They’re looking at the easiest way to penetrate a network and conduct a cyber-attack.”
Security and IT are at odds. Lastly, animosity between Security and IT teams can drag on vulnerability management effectiveness and efficiency. In more traditional environments, Security works through heaps of threat and vulnerability data, prioritizes the riskiest vulns, and passes the fix list off to IT to remediate. From the jump, there are flaws in this approach, Oltsik mentions. “People are making those decisions based upon multiple inputs, which means you either have to coordinate or correlate all these inputs, or you need to make manual decisions again.” And without a source of data-verified truth, trusting the fix list and then measuring remediation efforts is a struggle, leaving IT feeling frustrated. “We’ve definitely seen throwing [fix lists] over the wall, usually in a giant PDF report, doesn’t really do much for anyone,” adds Bellis.
Here’s what other security professionals are recommending
Part of the ESG survey took a solution-oriented approach, asking participants what steps organizations could take to level up their vulnerability management and meet the demands of today’s cybersecurity challenges. These five recommendations from survey respondents topped the list.
- (35%) Integrate vulnerability management with other Security and IT technologies.
- (30%) Establish KPIs, metrics, and reports that build business-wide buy-in.
- (28%) Provide richer vulnerability management training company-wide.
- (28%) Gain deeper insight into asset exploitability, exposure, and impact on critical systems.
- (28%) Continuously update attack surface inventory for more accurate vulnerability scans.
Good news: Companies are getting it right.
For those who feel these recommendations seem out of reach, take heart. There are teams out in the wild taking meaningful steps toward achieving a more resilient and secure environment. Oltsik says one of the areas he sees teams excelling in is improving the process from vulnerability discovery to the patching lifecycle. He says ESG also sees “better integration of threat intelligence, use of risk scoring, and integration into the IT operations tools like case management and trouble ticketing. Right now, those are done by more sophisticated organizations, but I think it’s a leading indicator of what we’ll see in the future.”
And Bellis notes that some of the most successful organizations employ risk-based SLAs. “They want to look at how important the asset is, the vulnerability risk on that asset, and assign a service level agreement accordingly.” Risk-based SLAs offer a highly tailored and more manageable way to tackle vulnerabilities.
Take steps today to secure your tomorrow.
Modernizing and streamlining your vulnerability management approach is imperative to future-proofing not only your Security operations but your business. And as the stakes keep rising, the time to act is now.
For more expert insight into the ESG survey findings and emerging best practices, watch the replay of Posture Perfect: 5 Tips for Straightening up Your Vulnerability Management Program. You can also download your copy of ESG’s Security Hygiene and Posture Management to follow along.