decrypting myths
Going beyond the vulnerability hype : Top considerations for security teams
To ensure effective vulnerability management , it is essential that business leaders take a riskbased approach when making decisions . Stephen Roostan , VP EMEA at Kenna Security , discusses how organisations can manage their vulnerabilities to external threats as the attack surface widens . t ’ s all too easy to
I get caught up in the hype surrounding a new vulnerability , especially if that hype catches the attention of the CEO who then wants to know if the company is at risk . With today ’ s headlines publicising the latest big brand names to fall victim to a breach , it ’ s no surprise that security leaders are under significant and growing pressure to manage risk effectively .
But while all this media hype around security vulnerabilities and breaches serves to draw some much-needed attention to the importance of security , not all vulnerabilities are worthy of the celebrity treatment .
For example , the media frenzy whipped up around Heartbleed a couple of years ago focused widespread attention on a vulnerability in open source cryptographic protocol that put millions of websites at risk and prompted organisations to take muchneeded appropriate action . Yet other vulnerabilities that have never garnered media attention can fly under the radar of security teams . In fact , recent research from Kenna Security and the Cyentia Institute , has shown that just 5 % of vulnerabilities fall into the ‘ highrisk ’ category , indicating that they could be weaponised in some way . As an example , manufacturing companies in particular are only able to patch eight out of 10 high-risk vulnerabilities , placing them in one of the top sectors that take a long time to fix vulnerabilities .
Taking an objective view
Framing vulnerability management efforts around security news headlines puts security teams in a precarious position . As the news and hype around security vulnerabilities escalates , it is becoming increasingly difficult for security teams to remain current with the threat landscape and determine how best to prioritise their efforts .
Allocating precious time and energy to yield the biggest dividends where reducing organisational risk www . intelligentciso . com
67