CyberJAGO Thoughts & Opinions

JAGO

Sharing a Pragmatic View of Cybersecurity

A painful reality: Vulnerabilities are not created equal!

Vulnerabilities should be looked at in perspective and considered very discreetly.  What is a critical vulnerability for one organization may be less so for another, we must treat them accordingly.

The recent Progress Software MOVEit’s breach proved once again the necessity for that level of examination and analysis within organizations.  The hack of this managed file transfer tool led to a widespread potential for exploitation.  But the urgency to patch depended on how the tool was deployed and protected by a specific organization.

Without a good understanding of what the vulnerability is and how to exploit it in your organization, security teams can send resources to perform a patch that was not the right priority at the time, considering all the competing demands for attention on a security organization.  When there are too many demands that require immediate attention indiscriminately, you’re putting a lot of stress on your resources, and then people start burning out and getting frustrated.  You start affecting the balance of your ecosystem. 

Here contextualization becomes critical because it helps you to take a more measured, programmatic approach to solving holes and weaknesses within your organization.  You can put the vulnerabilities in the right bucket and remediate them based on your established SLAs. 

In times when resources are tight and organizations are pressuring security teams to do more with less, having the right processes in place guides the team to prioritize things in a way that does not cause burnout.  We need to find ways to focus on critical developments and arrive at situations with the knowledge of how to prioritize, instead of rushing to do things as they happen.  This is a fine-tuning balance we need to create as we deal with risk every day.  If we treat all vulnerabilities at their CVSS face value, you will need an army of people to put out fires.  Not everything merits us dropping everything to immediately fix it.  There are times when we can wait longer to remediate without putting a lot of stress and pressure on an already stretched too thin team.

, , ,

CyberJago

I am a senior executive with over 25 years in the information and cyber security space with a passionate focus on technology, strategy, market share expansion, sales growth, and merger & acquisitions. Formerly the Mexico Chief Information Security Officer for a top 20 Global Bank, I love to tinker and seek solutions to the challenges of technology, regulatory compliance, and Cyber risk.