Traditional patch management methods are reactive, siloed, and often lack alignment with business priorities. Cybersecurity, IT, engineering, DevOps, etc. teams frequently struggle to prioritize remediation based on business risk, leading to inconsistent practices across different areas of the organization. For example, while desktop, server, and networking teams may have established patching routines, DevOps teams and those managing Industrial Control Systems (ICS) and Operational Technology (OT) often find it challenging to balance the risk of unpatched vulnerabilities against operational demands.
By aligning cybersecurity efforts with organizational risk tolerance and business objectives, this strategy enables more effective prioritization of vulnerabilities based on their potential impact on critical business functions and the existence of compensating controls, such as, intrusion detection/prevention systems, network segmentation, encryption, and other access controls.
This article is an extract from the report "Beyond Patching: Redefining Cybersecurity Strategies for Effective Risk Mitigation" which is available to download now.
Towards a Risk-Centric Approach
In contrast to traditional approaches that focus only on identifying and remediating vulnerabilities without considering context, a risk centric approach aligns cybersecurity philosophy with the organization's risk tolerance and business initiatives. Moving an enterprise toward a risk-centric approach for vulnerability management is a strategic shift that enables organizations to prioritize their remediation efforts based on the potential impact of vulnerabilities on business initiatives.
This assumes a cyber program aligns overall objectives with a risk-based framework, regardless of the model/framework, and a business impact analysis is represented in some capacity. Keep in mind there is a “cost” associated with remediating every vulnerability. Also, for every vulnerability that is remediated, a decision is made to not remediate other vulnerabilities. This approach seeks to provide guidance and the framework for arriving at these decisions.
Using this philosophy, not all vulnerabilities are equal, meaning that they all do not present the same level of risk to an organization. Some vulnerabilities may be trivial or have minimal impact if exploited, while others may lead to significant financial losses, reputational damage, or regulatory non-compliance and potential enforcement actions.
Additionally, some vulnerabilities are either not actively exploited, not able to be exploited and may be only considered “proof of concept.” Therefore, instead of attempting to remedy every discovered vulnerability, organizations may consider prioritizing vulnerabilities based on their potential impact and their exploitability on critical business functions.
Key Considerations for a Risk-Centric Approach to Vulnerability Management:
- Risk Assessment: Conduct comprehensive risk assessments to identify and evaluate vulnerabilities within their systems, networks, and applications. This is not limited to missing patches, but rather an assessment with a lens on risk analysis and should include configuration management as a component. A corporate business and technology risk register should exist and be consulted for this exercise. Thorough assessments consider exploitation scenarios, the potential impact on business operations, the value of the assets affected, and regulatory compliance requirements, to name a few. Exploitation scenarios may include vulnerable assets that may be exposed to the internet, named threat actors attempting to leverage the vulnerability, etc.
- Business Alignment: It has been said and proven that cybersecurity efforts should be aligned with the organization's overall business initiatives and risk appetite. By aligning vulnerability management with technology risk, organizations can ensure that resources are directed towards protecting the most critical assets and functions. Recall at the beginning of this section it was mentioned there is a “cost” to remediating each vulnerability.
- Risk-Centric Approach: Prioritize scenarios built from the risk assessment, considering any compensating controls. The analysis must include a full understanding of the context of the control and how the control may mitigate the risk and potentially lower the risk severity and any requirement for patching a vulnerability. Considering compensating controls may often lead to lower costs associated with patching.
- Continuous Monitoring: Vulnerability management is an ongoing process that requires continuous monitoring. Organizations must stay vigilant against emerging threats, evolving attack vectors, and changes in the technology landscape. At a broader level, a consideration is to develop a cyber-situational awareness program that includes monitoring threat intelligence, conducting regular vulnerability scans at a defined cadence, and leveraging automation to remediate vulnerabilities.
By adopting a risk-centric approach to vulnerability management, organizations can optimize their security investments, focus resources on mitigating the most significant risks, and align security efforts with business initiatives. This move toward a risk-centric approach enables organizations to better protect their assets, data, and reputation in an ever-changing threat landscape, while focusing on what is important.
