Running a successful business relies on effective risk management. However, in the IT engine room of many companies, there is a serious problem. IT teams are still struggling to run their vulnerability management programs in a risk-oriented way. The result is wasteful effort, dangerously exposed systems, and talented individuals tied up in complex and labor-intensive processes.
As a guest speaker in a new To the Point video, Forrester’s Renee Murphy emphasizes that by adopting an automated approach to risk scoring and management, organizations can streamline auditing and compliance, enhance endpoint visibility, and minimize the chances of a serious cyber breach.
A CVE deluge
The NIST National Vulnerability Database (NVD) revealed that more vulnerabilities were published in 2021 than any year previously. For the fifth consecutive year, we saw common vulnerabilities and exposures (CVEs) hit a record high — this time of 20,139, up 10% from 2020.
More than 4000 were labeled high severity, which would be a significant undertaking for even the best-resourced IT team, and the task is made much harder when these teams are unable to prioritize which bugs to patch first.
In the meantime, a legacy CVE from 2019 may actively be exploited to target an organization due to an unpatched application or system vulnerability.
Solutions that provide complete visibility and control over an organization’s exponentially increasing endpoints on-premises, hybrid, and multi-cloud are essential to reduce the attack surface and ensure users are fully protected. Yet, many IT teams are struggling with out of date, incomplete data and are still using manual tools, including spreadsheets and multiple point solutions, which exacerbate information silos. This makes risk-based prioritization a challenge by not being able to see what exists across the entire environment.
As Murphy argues in her presentation: “If you’re on the ground, you can only see what’s under your feet. You need to get in your drone and see what the forest landscape looks like from above.”
Elevating the conversation
So, how can CISOs and risk leaders elevate the conversation and pivot to effective risk-based vulnerability management? Having integrated solutions that provide real-time telemetry, investigative capabilities, and the power to remediate fast is essential to tackling the threat landscape today. Ask yourself a few crucial questions about each newly published CVE:
- Is it being exploited in the wild?
- What is the likelihood that my organization will be targeted next?
- Are any systems vulnerable?
- Are there vulnerable systems in production?
- Will patching downtime impact key customer-facing services?
Focusing on risk is essentially about optimizing vulnerability management. It is about targeting the investment of time and resources where it is most needed. As Murphy says, “I can’t boil the ocean. I have to pay attention to what is going to cause the most risk.”
Ultimately, the C-suite expects IT operations and security teams to monitor and manage the operation to maintain business performance and ensure continuity of customer service.
Automated risk-assessment tools are key
For Murphy, automation is a critical enabler of risk-based vulnerability management. It can free up the time for internal audit, compliance, IT operations, and security teams. A robust risk score helps to prioritize patching and prove to third-party auditors that programs are efficiently running. Most importantly, in a world where there is a ransomware attack every 11 seconds, understanding your risk posture will avoid a serious breach and keep the organization compliant. “No organization should be resigned to a relentless remediation burden,” argues Murphy in her presentation.
“The IT audit industry should have been bankrupted by monitoring software by now, and we should have all moved on,” she adds. “Those people today who run data centers, I think are the luckiest people on earth. The stuff you guys can do, we couldn’t do 20 years ago. There should be no excuse not to take a risk-based approach in how you look at vulnerability and threat.”
You can learn more about your company’s risk exposure with the Tanium risk assessment. The five-day, no-cost risk assessment provides a comprehensive view of risk posture and proactive ways to protect your organization. Sign up today.