Vulnerability Management Everyone Can Get Behind


When was the last time you conducted a security assessment? For many IT teams, this is a once-a-year job. End-users may receive software updates and security patch alerts regularly—but many go unnoticed or ignored because no one wants to disrupt business operations to install them.

In the first installment of our new TrendWatch webinar series, Justin Flynn, SE Manager at Burwood Group, discussed the emerging evolution in vulnerability management. Many of Burwood’s clients are taking a more proactive approach to identifying and addressing network and system vulnerabilities. They’re also working to shift the perception of security updates as ad hoc interruptions to well-coordinated, vital activities.

Security processes need updates, too

Traditionally, many organizations conduct an annual vulnerability review, assessing copious reports and selectively updating security for the most vulnerable areas. Progress is not monitored or captured.

The next year, they repeat this process—often finding the same issues again.

Meanwhile, end-users may regularly receive security update alerts from their software providers or the IT team, such as Microsoft’s twice-monthly Patch Tuesday security updates, Adobe Acrobat’s frequent version updates, and emergency updates for viruses like Shellshock and Heartbleed. Infrastructure security updates are generally less predictable.

Though cybersecurity is top of mind across industries, IT teams are often challenged to make the business case for continuous vulnerability management. How do you quantify the success of a technology investment when the goal is for nothing to happen? However, some leaders are learning how to demonstrate the business value in terms of improved uptime and risk mitigation.

Identify, mitigate, track—and repeat

Forward-looking IT teams are updating their strategies to identify and respond to vulnerabilities more quickly. One simple action is to monitor whether pushed security updates are actually being installed, and to remind users why updates matter.

Some IT teams are beginning to use scanning tools, like Cisco’s security automation tools, for security assessment. The most effective ones maintain scan history and constantly run internally and externally. Continuous scanning is more than a compliance checkbox—it reduces exposure, adds business value, and should be a key part of effective security strategy.

The other area of progress lies in persuading business users that security upgrades don’t have to be distractions. As with many IT projects, IT teams are finding greater success for vulnerability management when they collaborate with the rest of the business to identify optimal, pre-defined outage windows for security upgrades.

This “handshake with the business” approach makes it easier for all parties to accept, for instance, one hour of outage on every third Saturday. As scheduled outages become routine, even hardware refresh cycles become less disruptive.

For more on vulnerability management, including handling third-party vendor restrictions, watch Justin Flynn’s TrendWatch webinar – Vulnerability Management: Components of a Well-Defined Program.


January 27, 2016