A mitigating factor
for both vulnerabilities and boards
One of the unspoken board level expectations of vulnerability management is that it remains unremarkable - quietly securing all business operations from any risk, without friction.
However, with complex software-enabled business environments facing an overwhelming number of attacks, this is more fantasy than reality. In realistic terms - an effective vulnerability management posture is one which mitigates the largest possible portion of business risk at the best possible cost. Security Leaders gathered in a central London location to discuss how, or even whether, this demand can be met.
An explosion of complexity
Those present agreed that, at the root of the issue, was the fact that the risk from vulnerabilities has exploded and fragmented far faster than the associated countermeasures. Twenty years ago, exposure was limited to servers and workstations. Less remediation was required and the criticality of assets was likely low.
Now, the vast majority of business processes are enabled by sprawling technology stacks - something compounded by the Cloud. Operating on-prem, hybrid and multi-cloud environments - the vulnerable surface is almost as fluid as the 2,000 known vulnerabilities added to the NIST NVD database every month. Managing this risk has become like cataloguing grains of sand on a beach.
Management expectation vs. Technical reality
In stark contrast, many agreed that boards neither understand, nor care, for these technical complexities. Missing the sheer impossibility of vulnerability management, executive teams, as one CISO put it, ‘expect zero risk.’
Educating senior stakeholders on why this is unachievable is hard. Legacy mitigations are inherently behind the risk and piecemeal, yet expensive. This jars with a set of stakeholders with an absolutist, balance sheet-like view of any issue. For example, try making a business case for pentesting which dates the second the report is written, or the lengthy process of fixing embedded legacy technologies such as Oracle or Java.
Context is king
Those present agreed that fixing both flawed technical estates and broken board level conversations requires one thing: business context.
If securing everything is impossible because of the scale of the problem, context brings vital focus. By knowing which assets are critical to business operations, security leaders agreed they can better determine where human and technical resources are deployed. From a board point of view, this also means investment is more rigorously prioritised.
This requires a subtle reframing of how vulnerability risk is categorised as security teams have grown used to acting on an external definition of severity. CVSS scores, Government bodies and software providers, for example, provide alerts and updates on the risk from vulnerabilities. However, these are generalised and provide only a broad statement on the likelihood of exploitation. They are incapable of understanding how each one impacts a specific organisation.
For a contextual view, security teams must enrich vulnerability data with an understanding of their own environment based on a view of critical assets, dependencies and control sets. This overlay provides visibility of where the business is exposed, what potential attack paths exist and where mitigations can be applied. Done at scale, this allows the risk equation to be managed more intelligently, resulting in a measurable reduction and quicker time to value.
Translating for the board
Security leaders agreed this provides the basis for a board-level discussion on terms senior stakeholders understand.
Rather than ‘a game of count the vulnerability’, CISOs using this approach open the door to a far broader discussion on risk appetite. By comparing factors such as exposed assets, the likelihood of exploitation, cost of impact and cost to mitigate, it becomes a business conversation, not a technical one.
No silver bullet exists for vulnerability management regardless of how much one is desired. However, imbued with context, the process becomes closer to managing a balance sheet. For CISOs, this means more effective strategies as well as transparent, honest discussions with senior stakeholders on terms they understand - something which benefits the entire organisation.
About Hackuity
80% of cyberattacks use a vulnerability published half a decade ago. Translation: either cybersec professionals don’t care (not true) or they can’t keep up on their own (it’s time we admit that). Fragmented teams, too many tools, and exploding vulnerabilities are a match made in heaven – for attackers.
Founded by experts from leading cybersecurity service providers, Hackuity reinvents Risk-Based Vulnerability Management (RBVM) to protect organisations worldwide:
· Aggregate 80+ market-leading tools into a single pane of glass.
· Prioritise vulnerabilities with our risk-based scoring algorithm.
· Automate remediation specific to your attack surface.
Integrate your ecosystem to help cybersec teams focus on what’s actually vulnerable – not on managing Excel spreadsheets. Hackuity’s platform breaks security silos and provides a unified view of your cyber exposure specific to your attack surface so that you can remediate the real threats, faster. In short, Hackuity is your VOC enabler.
Hackuity is the winner of PwC Luxembourg's Cybersecurity & Privacy Solution of the Year – People’s Choice Award (2023), has received the EIC Seal of Excellence from the European Innovation Counsel, and is featured on Wavestone’s 2023 French Cybersecurity Scaleups Radar. Hackuity is a member of Campus Cyber and has also won the Government-led Grand Défi competition (2023, 2021), the Assises Innovation Award (2021), the FIC Startup Jury Award (2021), and the BPI Innovation Competition Award (2019). SOC 2 Type II certified and IMDA accredited, Hackuity emerged from stealth and raised €12 million in 2022.