10 Mistakes CISO’s Make in Vulnerability Management

KLC Consulting’s president, Kyle Lai, recently shared his insights in CSO Magazine about the 10 most common pitfalls CISO’s make when trying to keep their vulnerability management up to snuff. The number of unpatched vulnerabilities identified have risen anywhere from 27% to 60% over the past several years. This comes as no surprise to cyber security professionals given their resources are stretched thin between challenges with remote workforce requirements, pandemic set backs, and staffing shortages. However, there are 10 mistakes CISO’s tend to make which can be corrected to bolster these programs. To read the full article, click here

1. Not putting enough skin in the game

One stumbling block is that CISO’s are frequently unable to get support from their company’s senior leadership. The CISO and the leadership team need to collaborate to fully understand the risk and scheduling time for patching and system downtime.

2. Failing to share the responsibility

Some leading security professionals believe that CISO’s should not carry the responsibility of risk on behalf of a company. They do not own the business or systems they support, so executives need clarity and accountability around the vulnerability lifecycle their systems are introducing.

3. Not Prioritizing and address biggest threats

Each company has their own unique risk profiles, and too often, security executives focus on the wrong threats. Kyle says that CISOs and their teams must understand their enterprise’s technology environment and have a current asset inventory to effectively prioritize and address the biggest threats to their company. He says, “They should have a good understanding of how big an impact a particular threat might have; they should know which ones are more serious. They should be prioritizing based on the impact to their own organization.”

4. Lack of training employees

Most employees want to do right by the company, but security leaders are not always committed to providing the ongoing education that is necessary to deliver strong vulnerability management. Specialized training is required on behalf of both security workers and IT workers to do the patching.

5. Not knowing your IT code

It’s important for organizations to know the code they have in their IT environment. This enables security executives to know the full extent of vulnerabilities that need to be addressed. “You have to know what code and what open source components you have, so when something like Log4J comes out, you know all the places it exists,” Kyle says.

6. Procrastinating upgrades

Getting rid of legacy systems, the less vulnerabilities enterprises will have to manage. This doesn’t eliminate vulnerabilities, but it does reduce risk by retiring systems that can no longer be patched. This paves the way to make a cloud management platform a priority.

7. Sticking your head in the sand about emerging threats

According to Lia, “You want to pay attention to what’s coming out. They might not offer any details, but this type of intelligence helps you better prepare,” he says. “You can start working or planning.” There are several security resources and news briefs that offer the first glimpse about emerging threats and new vulnerabilities. It’s critical to stay aware and not reactive to threats.

8. Overreacting to every threat

Security teams have to maintain a balancing act with limited resources between chasing down every vulnerability that comes across their inbox versus prioritizing what is the biggest threat. CISOs should have a plan in place to evaluate risk and vulnerabilities and remediate APTs (advanced persistent threats).

9. Failing to manage the lifecycle of vulnerabilities

Vulnerabilities are always changing and the typical enterprise’s IT environment continuously evolving, forcing the need for CISOs to develop processes to assess and readdress their IT playbook. Most boards now view cybersecurity as a major risk according to a Gartner survey. Managing the lifecycle of vulnerabilities is something that is ongoing.

10. Not integrating security into the development process

Incorporating the security function earlier into the development process and embed it in the earliest stages, enables CISOs to avoid introducing vulnerabilities into the IT environment. This allows for CISOs to develop a more robust and cost effective vulnerability management program for their enterprises.

These 10 pitfalls undermine security program success which can be addressed to mitigate software vulnerabilities. KLC Consulting performs Ethical Hacking Consulting (Penetration Test and Vulnerability Assessment Consulting) to evaluate and improve your organization’s security posture in compliance with NIST 800-171 and CMMC 2.0. We present findings together with our recommendations to strengthen your cybersecurity defense and we’re ready to help with remediation.