Commentary Risk Management
Is Your Organization Doing Good Things Or Doing The Right Things?
Fixing vulnerabilities that are a real threat is the right thing to do
Organizations are spending significant resources on security and still getting compromised. The problem is that they are doing good things that will help build a solid security foundation, but they are not solving the right problems that will actually stop attacks.
The problem is that many organizations are misaligned with risk. The general formula for calculating risk is: risk = threat x vulnerabilities.
More Security Insights
- Accelerating Economic Growth and Vitality through Smarter Public Safety Management
- Digital Transformation: Creating new business models where digital meets physical
- Get Actionable Insight with Security Intelligence for Mainframe Environments
- Technical Debt: Asset or Liability
Looking at the formula, it is pretty obvious that if an organization wants to reduce a given risk, it would have to reduce one of the two items that are multiplied together. The question now is, which item does an organization control?
Threat is the potential for harm or what the offense is capable of doing. Vulnerabilities are defensive weaknesses that allow a threat to manifest itself. Organizations can control and reduce vulnerabilities; they have little control over the threats. Therefore, if you want to reduce risk, the way this is accomplished is by reducing the vulnerabilities. This is where the problem begins for many organizations.
Fixing random vulnerabilities is a good thing to do. Fixing vulnerabilities in which there is a real threat is the right thing to do.
Many organizations approach vulnerabilities as a numbers game. Organizations often say they will fix the low-hanging fruit weaknesses, or that 30 vulnerabilities reduced a month will keep the attackers away. The problem is that vulnerability reduction is a quality game, not a quantity game. It is better to fix five vulnerabilities in which there is a real threat than 50 in which there is no threat and therefore a minimal risk. Since there is no such thing as a vulnerable-free environment, any time spent on fixing random vulnerabilities is time that cannot be spent on fixing the highest priority vulnerabilities, which are those in which there is a real threat.
Therefore, in managing risk, threat drives the risk calculation and vulnerabilities drive risk reduction. Now the question is which threats to focus on. The answer is the threats that have the highest likelihood that are coupled with the vulnerabilities that have the biggest impact. By focusing in on threats, likelihood and impact to prioritize risk will allow organizations to fix the vulnerabilities that really matter, which will align an organization with the right defenses.
Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.