CIO OPINION
End-to-end visibility into an organization ’ s technology stack is becoming harder to achieve , with shadow-IT only exacerbating issues .
Limited resources result in cybersecurity maintenance tasks that are never completed .
Additionally , the scope and impact of software supply chain risk is only just starting to become properly understood by those outside the software development industry .
Unfortunately , those that are responsible for patching and fixing software vulnerabilities are rarely involved in the technology selection process , leading to a lack of learning and improvement in technology selection choices . Layer onto this the escalating compliance landscape and it is easy to see how overwhelming the task is .
It is simply impossible to patch and mitigate every software vulnerability present in an enterprise network .
Historically , organizations would prioritize mitigation based on limited and inward-facing data , such as server versus workstation , an employee ’ s role , asset criticality , vulnerability score and patch availability .
Despite this level of prioritization , patching remains a time-consuming task with limited effectiveness because it doesn ’ t consider knowledge of how that vulnerability is actively being exploited in the wild , and the risks associated by those adversaries leveraging it , to a company ’ s specific environment .
Most companies focus more on the consequences and severity of a vulnerability versus the likelihood they may be impacted – if you focus too much on severity and consequence , you may not see the complete picture . CVSS scores , for example , focus mainly on severity , with global values for likelihood that are assumed valid for all organizations – a mistaken assumption . Yes , a vulnerability may be critical and of highest severity , but this vulnerability is relevant to your own organization because of the threats that target it . This is where custom likelihood comes in . Understanding your own likelihood is critical for prioritization and triage . The modern enterprise has a new wealth of internal and external data to make more data-informed choices about actions to take and the threats to respond to .
While exposure is an important input into the risk equation , it only really has relevance once certain elements of the vulnerability lifecycle are hit .
For example : What is the cost for adversaries to develop exploitation tools for the vulnerability – or is it now available within the existing off-the-shelf attack tool sets ?
40 INTELLIGENTCIO LATAM INTELLIGENTCIO LATAM www . intelligentcio . com