Most Organizations Lack the Tools and Processes to Assess and Prioritize Risks and Vulnerabilities from the Business Perspective…
Recent security breaches at major retailers such as Target, Neiman Marcus and Michaels Stores have given further visibility of and placed a greater urgency around IT risks that have a direct impact on the business. For many years, information security has taken a back seat to other corporate priorities, but security has evolved — and moved up the corporate ladder — from simply restricting access to a few monolithic systems, to enabling safe access in a business environment that is dynamic, global, and always on.
Security is no longer just a technical issue that can be managed in bits and bytes; it’s a core business issue. Modern networks and data centers consist of many complex and intertwined business applications — from commercial off-the-shelf applications such as SAP and SharePoint, to homegrown applications performing custom business logic, to 3rd party cloud-based services — all are critical for the business to run.
A security breach or an outage to a business application or an entire network has a direct impact on a company’s bottom line. Security has to be effective enough to minimize risks to the business but also must enable the business to be agile in order to stay relevant and competitive. This requires a different approach to vulnerability management and a shift in the way security is viewed.
The traditional risk management approach is very technical, often displaying risks for servers, IP addresses, and other elements that are rarely understood by the business. How can a business owner make a sound risk remediation decision if the risk isn’t truly understood? According to Gartner, “risk and the accountability for risk acceptance are – and should be – owned by the business units creating and managing those risks.”
But most organizations today lack the tools and processes to assess and prioritize risks and vulnerabilities from the business perspective and end up defaulting to one of these approaches:
1. Severity – rushing to fix the most critical vulnerability first (e.g. based on CVSS score) is problematic. Do you really need to rush and fix a critical vulnerability in a non-mission critical server that houses non-confidential data?
2. Threat Path Analysis – trying to predict which vulnerabilities a hacker may use to make multiple “hops” required to reach a critical asset may look great on paper. But in reality, it requires a lot of overhead (as if security professionals do not have enough work). The end result is often disconnected from how attacks are actually conducted and from what business stakeholders value the most. As recently noted (PDF) by the Ogren Group, “organizations reduce the risk of disclosure events by assuming critical resources are exposed to all threats, regardless of threat paths or how many hops an attack must take before finding a vulnerable resource.”
3. Asset Tagging – tagging multiple assets and associating them with a line of business works well, until things start to change that is (which is just about every day). As provisioning of new servers is typically carried out by different teams that do not include the risk and vulnerability teams, new servers are not tagged to their associated business lines. This quickly makes asset tagging data unreliable.
So what does it take to truly evolve to an application-centric vulnerability approach, where vulnerabilities are viewed and prioritized by business application, and not just individual servers? For starters, you need to get business stakeholders on board – starting with senior executives. Associating risks with a line of business enables security teams to more effectively communicate with their business and application owner counterparts. This provides organizations with extended visibility that enables them to be accountable and truly “own the risk”.
From a technical perspective, you need to be able to map out your applications, along with their complex connectivity requirements, and tie this process to a sound change management to ensure continuous data accuracy. This is easier said than done – but it is with good reason that in a recent survey of 240 nearly half of the responding organizations want to prioritize network vulnerabilities by business application (by far the most popular response). Having this type of visibility elevates security and wins it a seat at the highest of tables – and the people at this table speak in business terms, not CVSS scores.
Related Reading: Time to Rethink Vulnerability Management
Related Reading: Preparing for the Inevitable Data Breach: Discussion
Related Reading: All Data Is Not Valued Equally