This is CARTA – Vulnerability Management that Prioritizes Risk Reduction AND Business Enablement


“We can’t do everything, so what should we be doing?”

At the 2019 Gartner Security and Risk Summit in National Harbor, Maryland, Gartner Brian Reed outlined 10 cybersecurity projects that could help reduce security risk.

While the list of top projects includes five repeats from the 2018 list and five new or modified projects, Reed explained of prioritizing the projects based on the following three principles:

  1. Where can security better enable our business?
  2. Where can I reduce the most risk given the amount of resources available?
  3. Does it support a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach?

Essentially organizations should choose targets with the primary goal of maximizing business . Reed recommended finding projects that prioritize business enablement as well as reducing organizational risk.

“If you can do only two things in 2019, implement an intelligent, CARTA-inspired approach to project and MFA for admins.”Brian Reed, Gartner Analyst


This is CARTA

Deemed “easy” in terms of project and ranked as one of the Top 10 Security Projects for 2019 by Gartner, the creation a CARTA (Continuous Adaptive Risk and Trust Assessment)-inspired program has been rising on the to-do list of every CISO and CIO we talk to.  While simple in its fundamentals, a CARTA-inspired program zeroes in on several issues with security data generation and handling that organizations struggle with during the day-to-day of vulnerabilities and exposures. A CARTA-inspired vulnerability prioritization and program typically focus on the following core elements:

Full Visibility and Context of Assets and Risk

  • An organization can only protect what it is aware of. A strong CARTA-inspired program starts with continuous asset discovery and management and continues through the asset lifecycle. These efforts, while important, are only the first step. To intelligently prioritize vulnerabilities and overall risk, asset data needs to be enriched with business context to provide an essential understanding of the asset’s overall importance and criticality to the business.

Continuous Vulnerability Assessment

  • As organizations expand the frequency and intensity of vulnerability scanning, the number of identified issues skyrockets. Most organizations typically have more vulnerabilities than they have time and resources to fix.  The prioritization of vulnerabilities and exposures has become a pressing issue as organizations attempt to focus their resources in meaningful and impactful ways.

Reporting and Analytics

  • IT security and management systems create volumes of data, but most of it is narrowly useable. The generation of accurate reporting has always needed to correlate data across security and management systems but the variances in technology and accessibility has driven many organizations back to spreadsheets and manual correlation to produce necessary reporting. As a result, most organizations struggle with producing accurate and meaningful reports for the different technical and non-technical audiences and stakeholders.


  • As security conditions change and threats emerge, CARTA-inspired vulnerability management programs need to be flexible enough to adapt to those changes. Traditionally, incorporating new data and technologies is difficult if the management process is not built from premise that the data, business, and security needs of the organization will change over time. The most mature programs are the ones that focus on proactive reporting and prioritization of issues that maximize the efficient use of resources and drive down the costs of operating the business securely.


We can’t do everything so what should we be doing?

All patches are not equal. Reed encouraged attendees to acknowledge that we will never reach a state where we are 100% fully patched. However, we can mitigate this risk by adapting the CARTA strategy and taking a risk-based approach to patch management by focusing on systems and vulnerabilities with higher risk.


How to Effectively Prioritize and Remediate Vulnerabilities

According to Gartner, “by 2022, 60% of large enterprises will influence their operational risk and cybersecurity budgets with business-facing service descriptions, costing and governance related to business units selecting their desired level of cost and risk by 2022.”*

NorthStar Navigator is uniquely positioned to help organizations plan, deploy, and manage a CARTA-inspired vulnerability management program to effectively frame their risk decisions in a business context.  Rooted in the belief that organizations do not need help generating security and management data, NorthStar Navigator focuses organizations on leveraging their existing, inconsistent, and disparate security and management data by providing a platform for collecting, consolidating, and correlating this data into a single source of truth for assets and vulnerabilities.

Capitalizing on this new accurate and actionable information, NorthStar Navigator provides individualized scoring for the technical severity and business importance of assets to create a means of prioritizing remediations efforts.  Built from the ground up on a flexible data model, NorthStar Navigator allows organizations to incorporate the most meaningful and impactful data available to help drive the technical severity, business importance, and prioritization of vulnerabilities both today and into the future.  By leveraging this flexible data model, NorthStar Navigator allows users to quickly create data visualizations and reports in the front-end GUI that will satisfy the varying needs of the organization and individual stakeholders in a single pane of glass experience.


For more information about how NorthStar Navigator can empower your CARTA -inspired vulnerability management program, visit HOW IT WORKS.

Or contact us for a FREE demo!


*Gartner, Seven Imperatives to Adopt a CARTA Strategic Approach, 10 April 2018