Today’s cyber landscape changes in the blink of an eye. It’s critical to understand why your business is vulnerable – so you can take the right steps to protect it.
According to Ponemon Institute’s report, Measuring & Managing the Cyber Risks to Business Operations, 91% of surveyed organizations have suffered cyberattacks in the past 24 months. And 60% have experienced two or more business-disrupting cyber events in that same time period.
Based on Tenable Research’s Vulnerability Intelligence Report, the live population (22,625) of distinct vulnerabilities that actually reside in enterprise environments represent 23% of all possible CVEs (107,710). Knowing these numbers, it is essential to understand and track your organization’s security posture and cyber risk over time.
Let’s look at three reasons why vulnerability management is key and how it can help you properly assess your organization’s level of cyber risk.
1. We’ve entered a new era of cyber conflict
By understanding the evolution of cyber conflict, you’ll know the challenges you’re up against. The cybersecurity space continues to evolve, especially with the increasing ease of access to computer resources and knowledge.
This has introduced a whole-new set of players to the dark side of the equation – players who have the secrecy, resources, funds and capabilities to exploit vulnerabilities. Furthermore, many businesses have failed to keep up with the changing environment, and poor cyber hygiene has left them vulnerable to attacks.
According to the U.S. National Vulnerability Database (NVD), there was a 52% increase in the number of vulnerabilities discovered in 2017 compared to 2016, with an overall number of 15,038 vulnerabilities. This big jump indicates two key things:
- More people – whether security researchers, bug bounty participants or threat actors with malicious intent – are examining products and discovering vulnerabilities.
- Software quality is dropping. With more start-ups, the adoption of IoT and a faster speed of business, organizations started to shorten the testing and quality assurance process to go to market faster and capture the business first, then deal with the caveats later. (This needn’t be the case though. Check out our container security ebook to keep DevOps moving at the speed of business.)
2. Network structures continue to evolve
Understanding changing network structures is key to understanding how a business is vulnerable. Network evolution has multiple aspects:
- Network structure: The complexity of network architecture is growing due to increased virtualization (either through containers, automation, DevOps or software-defined network) and the emergence of prepackaged web applications.
- Network components: Today’s attack surface now includes smart devices and IoT, bring our own device (BYOD) flexibility, roaming users and cloud services.
- IT and OT network security: Ownership of the two areas is merging.
In short, it is increasingly difficult to get a full picture of the network.
3. Security teams are overwhelmed
At the end of the day, you may have hundreds or thousands of assets to protect on your network. The attacker may only need a single weak entry point. It may seem like an insurmountable challenge, but every solution has to start somewhere.
There isn’t a single CISO or security leader who does not ask his/her team the following questions:
- How secure – and exposed – are we?
- What should we prioritize?
- How are we reducing exposure over time?
- How do we compare to our peers?
The answers to these questions are the primary driver for understanding where your business is vulnerable and beginning to make improvements.
Getting back to cyber hygiene basics with vulnerability management
Considering the above variables and challenges, it is extremely rare to find a security leader who can confidently define their network boundaries. As a result, organizations often end up with a concerning number of blind spots in their networks.
Going back to the cyber hygiene basics with vulnerability management and honestly evaluating the challenges you are facing is a key to understanding where your business is vulnerable. This will enable you to establish a functional process to measure your business’s overall risk and protect your network.
The most basic fact is: you can’t protect what you can’t see. Acquiring tools, technologies, skills and services to confidently define the network boundaries, type and number of assets, applications and services should be the first priority for any security leader. It is the primary building block for an effective security program. Once you have complete visibility into your vulnerabilities, you can get into the race.