Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Steps for Successful Vulnerability Management: Lessons from the Pitch

Steps for Successful Vulnerability Management: Lessons from the Pitch

When I was younger, I played a variety of team sports and enjoyed competing against opponents with my teammates. Winning was always a matter of applying sound tactics and strategy, attacking and defending well and using a blend of skill, talent and luck. Now that I’m older, I watch more than I play, and I’m able to appreciate the many lessons team sports teach, especially at the professional level. With sports, we can tackle technical topics in a relatable way. In this post, I take on vulnerability management (VM). The key word here being “management,” an active and continuous approach to dealing with risk. Like the dynamic action on a ball field, vulnerability management is something that is always changing and rarely predictable. It also requires active participation.

There is an aphorism in sports that defense wins championships. While there is some debate about this in the sporting world, defending the enterprise against a data breach is a required business practice. Continuous vulnerability management remains Number 3 in the CIS critical security controls; it contributes to the defense that wins business.

To understand vulnerability management, it helps to have a common definition of vulnerability. A misconception about this term is that it is monolithic and binary. How often have we heard someone say “We need to patch a vulnerability”? This framing is dangerous as it assumes a vulnerability is a singular thing that can be fixed and forgotten. Shifting the focus to what it is we want to protect rather than any specific weakness changes the question to “how vulnerable are we?” In other words, “how likely is it that a threat can cause harm to my critical asset?” Soccer offers a good analogy: the critical asset is the goal, and the threat is the opposing team (Read more...)