Most of us have experience with following a tight budget in our personal lives. When funds are low, there are always certain expenses we have to push down the priority list in favor of paying for something more crucial to our day-to-day functioning, such as housing or electricity. Likewise, security teams in most organizations follow a very tight budget and need to be able to rank which items are most important to their daily functions. The recent Gartner report, “Seizing Opportunities in Risk-Based Vulnerability Management”* explains “while infrastructure vulnerabilities continue to rise, exploits remain relatively stable. As such, buyer demand is shifting toward the prioritization of vulnerabilities and security defects.” A growing number of organizations are finding the emerging RBVM framework to be a critical part of their risk prioritization process.

Finding a signal in the noise

At home, the process of prioritizing which tasks and bills are most crucial is usually straightforward. When the task is amplified to securing an organization, there are many more moving parts to address. The key to effective planning in this situation means having a good understanding of which risks are most relevant and will have the most impact in the real world. This is no small feat, and something where having expert advice is absolutely critical.

“Reported infrastructure software vulnerabilities continue to rise. It’s impossible for any organization to implement a policy of patching everything, given a lack of time, resources and — in some cases — patches. More to the point, it’s not necessary. Sources differ, but it’s estimated that between 2% and 9% of vulnerabilities are actively exploited.” 

Gartner “Seizing Opportunities in Risk-Based Vulnerability Management,” Dale Gardner, 10 December 2018

 Figuring out which vulnerabilities are an active threat requires sorting through a massive amount of constantly changing data; something few organizations have the bandwidth to do themselves. Having an RBVM tool that provides this information can save businesses a lot of time and effort.

Finding the value of RBVM

RBVM offers value to security organizations in numerous ways:

Explaining Business Case

One of the most difficult tasks for any security group is to provide documentation to management that illustrates the value of their work, in order to justify budget requirements. RBVM helps provide a clear way to explain the total number of vulnerabilities that need to be addressed, which risks need to be addressed most urgently, as well as the progress made to decrease the number and severity of threats.

Contextual Data

No two organizations are alike, and an accurate assessment of risk needs to include this contextual information. The use of compensating controls such as intrusion prevention systems, encryption or network segmentation will naturally decrease a company’s level of risk. But it can be difficult to quantify how much these things truly accomplish in response to real-world threats. With context-informed data, security groups can also better prioritize their monitoring efforts. 

Aiding Ongoing Risk Assessment

More and more businesses are required by government regulation to perform ongoing risk assessments. This can seem like a Sisyphean task all by itself. But this is only the first step; the next is to mitigate that risk. As vulnerabilities that are actively being exploited – as well as trust relationships between people and devices within an organization – is constantly changing, it’s important to include “Continuous Adaptive Risk and Trust Assessment” activities in an effective risk management scenarios.

Focusing our efforts

Each new data breach that makes the news brings a new example of another company that has been attacked via a vulnerability that has already been patched. While it’s easy for an observer to shake their finger and say the business “should” have already applied the patch, the reality is seldom so simple. The security group within the organization may well have been overwhelmed by dealing with a mountain of patches that needed to be tested before they were implemented, or they may have been busy putting out fires that were deemed “urgent” but which posed less real risk to the organization.

Ideally, each of us would have enough time and resources to fix all the security issues within our infrastructure. But if you’re not starting from a secure state (few of us are!) you would still need to be able to prioritize which things get handled first. We all need to do the best with the resources we have, which means we need to determine which items get more time and resources, and in what order. We also need to make sure we’re not spending more to control threats or vulnerabilities than its potential damage to the business.

It can be difficult to sort through a growing pile of vulnerabilities in order to determine what’s causing the greatest risk for your organization. Companies benefit from having expert assistance and advice that will help them determine what security efforts will truly bring them the best return on investment. As the number of vulnerabilities discovered each year is likely to continue to increase, the value of this advice to an organization will also continue to grow.

Contact us for more information on how NorthStar Navigator can empower your risk-based vulnerability management program.

Gartner “Seizing Opportunities in Risk-Based Vulnerability Management,” Dale Gardner, 10 December 2018

*Gartner subscription required