Vulnerability management mistakes CISOs still make

Multiple breaches, including the massive 2017 data breach at the credit reporting agency Equifax, have been traced back to unpatched vulnerabilities—a 2019 Tripwire study found that 27% of all breaches were caused by unpatched vulnerabilities, while a 2018 Ponemon study put the number at a jaw-dropping 60%.

That shouldn’t surprise anyone in the security space: The number of vulnerabilities identified each year has gone up annually for the past several years.

At the same time security teams have been stretched thin as they’ve been extra busy enabling secure remote work and addressing other pandemic-related needs all while dealing with a staffing crunch.

As a result, improving the vulnerability management program is not always a top priority.

Yet veteran security chiefs say they see common mistakes and missteps that can and should be addressed to strengthen these programs. Here are 10 mistakes they say CISOs still frequently make:

1. Failing to get executive backing

The work required for a good vulnerability management program extends well beyond the security team. Risk decisions require executive input, patching takes IT expertise, and scheduled downtime for updates impacts multiple business functions.

Consequently, CISOs need buy-in from multiple players in the organization to do this task well, and they’re more likely to get that buy-in when they have support for those efforts from the senior-most leaders within the enterprise, says Michael Gray, CTO of managed services provider Thrive.

On the other hand, CISOs who lack executive-level support for their vulnerability management efforts can be stymied by a lack of clarity on acceptable risk and pushback from IT and business units on scheduling patching and system downtime.

But here’s some good news: Gray and others say CISOs are increasingly finding that executive support they need, as cybersecurity has become a board-level concern. Figures from analyst firm Gartner confirm the trend, with its 2021 directors survey finding that 88% of boards now view cybersecurity as a business risk.

2. Not fostering a sense of shared responsibility

“CISOs shoulder the responsibility or the risk for VM [vulnerability management]: They should not,” says Alex Attumalil, CISO for Under Armour.

CISOs don’t own the systems or the business functions they support, nor do they have the authority to solely determine whether the organization is comfortable accepting any particular risk.

“We’re not authorized to accept risk on behalf of the company. So you must bubble up the information,” he says. That requires communicating risk to other enterprise leaders, framing vulnerability management in terms of business risk and “enabling them to be part of the solution. They need to know they’re accountable for the vulnerabilities their systems are introducing.”

Attumalil says this approach gives enterprise executives beyond the CISO “a stake in the game,” a move that builds more support and collaboration when it comes to vulnerability management work such as scheduling system downtime for patching.

3. Using generic risk prioritization

One recent study, conducted by Pulse for security vendor Vulcan Cyber, showed that the vast majority of the 200-plus responding enterprise IT and security executives don’t prioritize vulnerabilities based on their organization’s own unique risk profiles. More specifically, the study revealed that 86% rely on third-party vulnerability severity data to prioritize vulnerabilities, with 70% also using third-party threat intelligence.

Veteran security leaders warn against that approach, saying it could have CISOs and their teams focusing limited resources on the wrong threats.

Kyle Lai, president and CISO of KLC Consulting, which provides cybersecurity advice and vCISO services for U.S. defense contractors, recommends a different approach. He says CISOs and their teams must understand the organization’s own technology environment and have an up-to-date asset inventory, and they must understand the organization’s risk appetite and risk tolerance, so they can identify the biggest threats to their own enterprise and prioritize addressing those.

“They should have a good understanding of how big an impact a particular threat might have; they should know which ones are more serious. They should be prioritizing based on the impact to their own organization,” he says.

4. Skimping on training

Lexmark International CISO Bryan Willett recognizes that the skills for patching Linux systems vary from those needed to patch Windows, and those skills differ from those required to execute other tasks within in his vulnerability management program.

Moreover, he says, the knowledge his security workers need for vulnerability management is different than the know-how IT workers require to do the patching in the actual systems.

“So I want those teams to get the training they need to take on their responsibilities,” he says.

But security leaders say not all organizations are committed to providing the ongoing education that employees need to deliver world-class security and, more specifically, a robust vulnerability management function. Experts say organizations sometimes underestimate the amount of specialization vulnerability management tasks require or they overlook the need for workers to be trained on the specific systems or tools used within their own enterprise.

“The thing everybody needs to remember is that employees want to do the right thing, but we have to invest in them to be able to do the right thing,” Willett adds.

5. Failing to track code

Research from the Linux Foundation shows that a growing number of organizations are using a software bill of materials (SBOM) to better understand all the code they have within their systems. More specifically, the report indicates that 47% are producing or consuming SBOMs and 78% of organizations expect to produce or consume SBOMs in 2022 (up from 66% in 2021).

Although the figures show an increase in the use of SBOMs, they still indicate that a good number of organizations could be falling short in knowing all the code they have in their IT environment. And that lack of visibility limits their ability to know if they have vulnerabilities that need to be addressed, Lai says.

“You have to know what code and what open source components you have, so when something like Log4J comes out, you know all the places it exists,” he says.

6. Postponing upgrades

Although vulnerability management is a never-ending task, it could be built into a more effective program by addressing technical debt, says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at professional services firm PwC.

As Nocera explains: “The more I can retire legacy versions or consolidate on a standard stack, the less I have to manage in terms of vulnerabilities. That’s why I think that simplification and consolidation is the best force multiplier you can get.”

Nocera acknowledges that retiring legacy systems and addressing technical debt does not, of course, eliminate vulnerabilities. But getting rid of legacy systems does remove some work, and it can rid the enterprise of systems that are no longer able to be patched—thereby reducing risk.

And by getting rid of those issues, security teams along with their IT counterparts can shift their focus to addressing the remaining priorities—making the program much more effective and impactful, he says.

Despite the benefits of this approach, a good number of organizations haven’t made this a priority: The 2022 Endpoint Management and Security Trends Report from Action1 Corp., maker of a remote monitoring and management cloud platform, found that only 34% of respondents plan to focus on “eliminating risky legacy software that they have replaced with cloud alternatives.”

7. Ignoring news about emerging threats

The first warnings about new vulnerabilities or emerging threats often come through brief bulletins that lack a lot of details. Despite the limited information that accompanies such early reports, Lai says security teams should not dismiss their importance. In fact, he says, it’s critical to track news and headlines from various security sources to know what’s on the horizon.

“You want to pay attention to what’s coming out. They might not offer any details, but this type of intelligence helps you better prepare,” he says. “You can start working or planning.”

8. Reacting to every new threat

On the other hand, Erik Nost, a senior analyst at Forrester Research, warns CISOs against reacting to breaking news without first assessing whether and to what degree it could impact their own organizations.

“A lot of CISOs are still learning how to deal with zero days and the vulnerabilities that make news headlines, which is increasing in frequency,” he says. “Sorting through what’s news sensationalism and what vulnerabilities are an actual threat to their organization is a challenge, but asking teams to prioritize remediating everything that hits their inbox or the CEO sees in news headlines is not the right approach.”

Nost points to a recent analysis from Cornell University showing that APTs (advanced persistent threats) are more likely to exploit known vulnerabilities than zero days. So, Nost says, “CISOs should also take into account threat actors and consider if APTs are likely to target their organizations.”

He says security teams should consider active exploits as a “a better prioritization factor to consider versus what the media is talking about.”

“Teams are pressed for time. If they’re playing whack-a-mole on every vulnerability that shows up on Twitter, then they’re not actively assessing risk that’s specific for their organization, against their acceptable risk appetite, and remediating the vulnerability that is the biggest threat,” Nost adds. “And if there is a zero day or vulnerability that makes news headlines, you may still need to take action, so your teams should have procedures on how to assess the threat. Just remember to stick to the established playbook, risk appetite, and threat analysis procedures.”

9. Relying on outdated information

The Gartner directors survey not only showed that most boards now view cybersecurity as a risk, it also found that a majority (57%) have increased or expect to increase their risk appetite during the 2021-2022 time period. At the same time, the number of newly identified vulnerabilities found annually continues to grow year over year. And the typical enterprise’s IT environment continuously evolves.

Taken together, these points illustrate the need for CISOs to develop processes to revisit and review their calculus for prioritizing vulnerability mitigations and remediation, experts say.

“Too often companies aren’t great about managing the lifecycle of vulnerabilities,” Gray says. “It’s always growing, it’s always changing, and it’s something that needs to be constantly paid attention to.”

10. Not embedding security into development

Nocera says not enough organizations are embedding security and secure design principles into the development process, leading to a missed opportunity for CISOs and CIOs to together build a more robust vulnerability management program for their organizations.

Bringing security earlier into the development process—or “shifting left”—lets CISOs get ahead of security problems before code gets into production, Nocera says. “So you’re not introducing known vulnerabilities into the environment.”

Shifting left won’t necessarily cut back on the amount of vulnerability management work, Nocera says, but—like eliminating legacy systems and technical debt—it does free up resources so teams can optimize their vulnerability management efforts.