Vulnerability management has evolved tremendously in recent years, especially with automated monitoring systems providing continuous analysis of enterprise networks to effectively reduce risk.
Amid the current landscape and the shift to remote work policies due to COVID-19, organizations have undergone a rapid digital transformation to support business continuity. The adoption of new technologies such as cloud-based applications and IoT devices have introduced a myriad of vulnerabilities for malicious actors to exploit, and unfortunately, legacy vulnerability management tools are not able to provide organizations with the visibility or cyber-risk insights to protect this new array of asset types.
As a result, cybersecurity teams struggle with a lack of visibility into threats, endpoint devices, access privileges, and other essential security controls necessary for a robust cybersecurity posture. Without full visibility into their entire digital ecosystem, infosec teams cannot fully secure the assets on their networks or effectively prioritize the most serious threats.
There is a distinct relationship between clear visibility and effectively being able to report cyber risk. Below, I dive into how security professionals are still fighting the battle between effectively viewing serious threats and communicating cyber risk to company leadership.
Limited visibility remains top challenge
It is more and more challenging to keep track of the ever-growing number of non-traditional assets such as bring-your-own devices, IoT, mobile assets, and cloud services, and gaps in asset coverage are leaving cybersecurity leaders with more questions than answers. According to a recent study, the State of the Enterprise Security Posture Report, a majority of organizations (64%) lack confidence in the state of their security posture which is driven by inadequate visibility. Six in 10 organizations say that they are only aware of fewer than 75% of the devices on their network, with most claiming only spotty understanding of asset business criticality and categorization. What’s more, 46% of respondents find it hard to tell which vulnerabilities are real threats versus ones that will never be exploited.
Constant visibility across all the devices and applications on a network, across the hundreds of attack vectors an organization is susceptible to, and across the risk associated with open vulnerabilities, continues to be a primary challenge for infosec teams. This lack of awareness makes it extremely difficult to improve security posture and extends to significant causes of concern for risk - especially when an organization is incapable of clearly viewing the critical threats that their organization faces.
A vast majority (89%) of organizations stated that the security threats of most concern are phishing, web, and ransomware attacks. However, when asked which risk areas that they have visibility into, less than half (48%) confirmed continuous visibility of phishing, web, and ransomware threats. This creates a massive disconnect between the identified biggest risk and visibility into that risk, which is of huge concern.
Phishing is a key driver of risk for organizations because once an internal user falls victim to phishing, the attacker can move laterally in the infrastructure to cause more destruction. Even more, this issue is exacerbated by the fact that 81% of organizations report users having too much access to privileged data. If privileged access to business-critical assets is not closely monitored, the likelihood of a massive breach grows substantially.
An organization is only as secure as its weakest link, and they cannot protect what they cannot see. Companies must gain full visibility into the threats affecting negligent users, and vulnerabilities around privileged user assets should be managed with high urgency and high priority. Steps should also be taken to limit access privileges where possible.
Breach risk prioritization and communication
Cybersecurity has taken on a central role in the enterprise, with infosec teams engaging with the C-suite and board members more than ever before. This has placed a larger burden on reporting requirements, particularly when attempting to explain risk and costs to executives. Yet, with the growing amount of security posture issues that Infosec leaders face, the burden is now heavier than ever, and board presentations are a major challenge.
Only a small minority (13%) of security leaders think that they “nailed” their last board or senior management presentation and that they presented relevant data in easily understood business language. Unfortunately, over half (52%) said that their board presentation only went okay, and that they felt as if they were able to get the point across but not able to secure the expected outcome.
To continue to do their jobs effectively and conduct successful board presentations, security teams say they need tools that can improve the reporting process. 25% feel they are inundated with far too many alerts to take action, and 1 in 5 believe they are unable to prioritize security issues by business criticality.
It is critical that cybersecurity leaders do not settle for “okay” board presentations. Successful board-level presentations stem from quantifiable risk metrics and intuitive visualizations that can easily be understand by a non-technical audience. Infosec professionals must focus on business objectives and help stakeholders understand the company's current cyber risk state, where it should be, and how the company can strengthen this state.
Board engagement coupled with the necessary tools
Cybersecurity is a critical role in the enterprise, and security leaders must know how to engage with leadership to better protect their organizations as they adapt to distributed work and adopt new technologies. Without the proper tools to effectively assess, monitor and communicate risk, infosec teams are limited in their ability to strengthen cybersecurity posture for the organization.
Fortunately, there are vulnerability management tools on the market today that provide organizations with continuous, comprehensive visibility into the highest risks, including not only where weaknesses or vulnerabilities exist, but also the likeliness of those weaknesses impacting the business. From there, prioritizing fixes for the riskiest issues will ensure maximum breach reduction and the most efficient security team possible.