5 Things Every CIO Should Know About

Vulnerability Management

CYBERSECURITY

MICROSERVICES

LEGACY SYSTEMSSHADOW IT

ATTACKER BEHAVIOR

SKILLS SHORTAGE

PRIVACY REGULATIONS

BUYER EXPECTATIONS

SERVERLESS

EXPANDING IoT USAGE

Where would modern enterprises be without the CIO?

As CIO, you’re expected to navigate diverse and constantly changing terrain. In

addition to helping grow your business and keeping costs down, you worry about all

that data and the assets, networks, and applications that house it. Protecting your

infrastructure and enterprise stack from cyber threats is a multi-faceted problem all

on its own. And as your organization grows, your attack surface grows with it.

Introduction

*While we recognize that organizational structures vary, to keep things simple in this

paper, we’re referencing Development, DevOps, and IT operations as simply “IT.”

In the face of all these responsibilities and challenges,

vulnerability management (VM) might strike you

as a small element of your operation—especially if

IT, Security and Development are separate from IT

operations in your organization.* Often it appears

that VM is just another technical debt, a routine task

Security manages and IT implements.

Managing vulnerabilities, however, is important not

just for security teams, but for all of IT.  Security, it

turns out, is a team sport that requires cross-functional

collaboration to get right. And it’s worth getting right:

Vulnerabilities can leave your most strategic assets—

and your business itself—exposed to cyber threats that

evolve by the day. What’s more, a modern vulnerability

management operation benefits CIOs in multiple

ways—and can even help you become a more strategic

and effective force in the C-Suite.

Here are five things every CIO should know about vulnerability management.

of common vulnerabilities & exposures have been observed in organizations and exploited in the wild.

JUST

4%The average enterprise has millions of vulnerabilities.

Millions. No organization, no matter how well

resourced or efficient, can possibly fix them all.

The good news is that no organization really needs to.

That’s because not every vulnerability you find in your

environment poses a risk to your specific assets or

business. In fact, only 4% of all common vulnerabilities and exposures (CVEs) meet the critical criteria of being

both observed within organizations and known to be

exploited in the wild. In most enterprises, fewer than 4%

of vulnerabilities and weaknesses pose a legitimate risk.

So if you’ve ever wondered if all of that effort your

team is expending on remediation is helping fix the

vulnerabilities that matter most, you’ve probably

had good reason. Typical vulnerability scanners and

application assessment tools are useful for finding

potential exposures, but spitting out a massive list

that’s hundreds of pages long is little help to an already

time-strapped team. IT and development can’t fix all of

them, so which vulns should they address first? How

will they know which flaws pose the greatest risk to

your particular organization?

The truth is, without the right insights, they can’t.

Fortunately, adopting a risk-based approach to

vulnerability management solves this problem, and

many others.

Source: Taking the Pulse on Vulnerability Management

You don’t need to fix that entire list.1.

CUT TIME investigating

vulnerabilities IN HALF.

THE IMPACT OF RBVM:

Endless meetings debating which vulnerabilities to remediate? Persistent conflicts over priorities?

Source: TechValidate

55%of security

teams

This is hardly what you want from your IT, Security,

and DevOps teams. But when they are hobbled by

outdated tools and processes that can’t predict threats

or prioritize fixes, it’s what you often get.

Adopting a risk-based vulnerability management

(RBVM) approach solves this. The right RBVM solution

weighs multiple factors—not just the vulnerabilities

and the likelihood they’ll be weaponized, but also the

assets and applications you rely on—so your team has

the context necessary to focus on where you’re most

vulnerable today.

This risk-based approach helps your teams work

more efficiently. Now, they’ve not only released

Security from day-to-day burden of sending lists of

vulnerabilities to IT so they can devote more time to

more strategic tasks, but they no longer are battling

over what to do, and who will do it.

The right VM program can be vastly more efficient2.

“Risk” can mean different things to IT and Security, and

that difference can cause friction. For Security teams,

reducing risk often means patching all vulnerabilities

that may be weaponized—no matter their impact

on infrastructure operations or DevOps. For IT, risk

means anything that threatens your ability to deliver

for the business.

The two are often at odds. Indiscriminate patching, for

instance, can break processes or applications, restrict

availability, and threaten service level agreements

(SLAs). But ignoring the vulnerabilities that are (or are

likely to be) targeted by exploits could leave you open

to attacks that could end up hurting your business,

operations and brand.

The best way to reduce risk for Security and IT both is

to have a shared language around risk—and a risk-

based approach that measures the real likelihood

that an exploit will target the vulnerabilities that

are of high risk in your particular environment.

That way, your Security team can produce reports

that IT management will understand. And because

you’re not swimming through hundreds of “critical”

vulnerabilities, it’s easier to weigh proposed

remediations against the risk that a patch or rewritten

application code may cause downtime or other

problems—and then identify exemptions where they

make sense.

The result? Not only is your RBVM program more

efficient, but it serves everyone better: Security is

protecting your data, applications, and assets—and IT is

protecting its ability to meet the needs of the business.

Adopting a risk-based approach will reduce risk for Security & IT. 3.

How Can You Reconcile the Different Definitions of Risk?

SECURITYZero breaches

ITNo downtime, Meet SLAs Focus on high-risk

vulnerabilities first

The best way to reduce risk for Security and IT both is to have a

shared language around risk.

You want your limited resources focused on the most important and

strategic work at hand. A data-driven approach puts you there.

The persistent disconnect between Security and IT has

frequently caused Security to feel unsupported by IT,

and IT to feel pressured (even bullied) by Security.

None of this is necessary, and it certainly doesn’t help

you run a tight, results-oriented IT ship.

The truth is, as CIO, you want to be in the driver’s seat.

You want to make sure your IT teams are meeting SLAs

while Security is keeping data, assets, and applications

safe. You want your limited resources focused on the

most important and strategic work at hand. A data-

driven approach puts you there.

A modern RBVM program takes the guesswork out of

vulnerability management. It’s based on mountains of

contextual data—real-time external intel combined

with data about your unique IT environment—that

shows you not only what exposures you have, but

what they mean to your organization. With an RBVM

program based on incontrovertible evidence that

is automatically shared across teams, both IT and

Security immediately understand where to put their

efforts. Roles are clarified. And Security is no longer

telling IT what to do, because IT now has a self-serve

environment that cuts through the clutter and keeps

priorities aligned.

Now you can fully take IT risk into account—and the

collaboration with Security is better than ever before.

Suddenly, something new emerges in the relationship

between the two teams: shared trust.

That’s what happens when a data-driven, self-serve

RBVM environment puts you in control.

You want to be in the driver’s seat. A data-driven approach will put you there. 4.

What Does a Data-Driven, Self-Serve RBVM Program Look Like?

External & internal data gathered & analyzed

RBVM algorithms align threats with vulns & prioritize fixes

Security issues reports IT managers can understand

IT managers weigh remediation against IT risk

Once you’re driving, you can explore alternate mitigation approaches for vulnerabilities you can’t fix.

It’s not always possible to fix every high-risk

vulnerability the moment you discover it. Sometimes,

the vulnerability sits at the heart of a mission-critical

application or customer-facing web service where any

downtime is unacceptable.

Other times, it might be located on devices that are

impossible to patch, or that require your DevOps team

to write it themselves.

5.

High Risk — High Effort High Risk — Medium Effort High Risk — Low Effort

Medium Risk — High Effort Medium Risk — Medium Effort Medium Risk — Low Effort

Low Risk — High Effort Low Risk — Medium Effort Low Risk — Low Effort

HIGH EFFORT LOW EFFORT

HIG

H R

ISK

LOW

RIS

K

When you’re in control of your vulnerability

management process, you can decide what’s

important to fix now, while determining a schedule for

remediating other vulns over time. You can also come

up with alternate mitigation strategies for remediating

those hard-to-fix vulnerabilities.

And when IT and Security are aligned on priorities,

there’s little to argue about.

With IT in the driver’s seat of a risk-based approach

to vulnerability management, you’ll have much more

control over evaluating the risk versus the reward of

remediation efforts. And most importantly of all, you’ll

have all your teams working in tandem to reduce your

overall risk profile.

To Remediate or Not to Remediate? Weighing Risk vs. Effort

What’s next? Talk to your CISO.With cybersecurity efforts requiring more attention and budget, there’s no better time to

talk with your CISO about taking a risk-based approach to vulnerability management. Why?

Because with an RBVM environment, you can:

The future of vulnerability management is risk-based.

Leading industry analysts agree: The days of blindly, manually chasing vulnerabilities are over.

The future will be increasingly defined by meaningful prioritization and metrics business

leaders can understand. And it will be characterized, finally, by an efficient, amicable process

that puts CIOs in the driver’s seat.

To learn more about aligning your organization around risk, visit

www.kennasecurity.com

Kenna and Kenna Security are trademarks and/or registered trademarks of Kenna Security, Inc. and/or its subsidiaries in the United States and/or other

countries. © 2020 Kenna Security, Inc. All rights reserved.

Learn more about RBVM.

The Future of Vulnerability Management is Risk-Based, featuring research from

Gartner.

Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies,

featuring research from the

Cyentia Institute.

Distinguishing Common Practices from Best Practices in Vulnerability Management, on-demand webinar featuring

research from the Cyentia

Institute.

Lower risk for both IT and Security

Focus on the risks that matter most

Build shared trust between your teams

Create a self-service, data-driven environment that prevents turf wars

Create efficiencies by eliminating disputes and aligning priorities