The issue of vulnerability management
The issue of vulnerability management
Insight

The issue of vulnerability management

Often times, discussion around “why” vulnerability management is still a challenge for businesses leads to talk of a “whack-a-mole” mentality.

It would seem improbable that nearly twenty-six years after the development of vulnerability scanners, vulnerability management would remain a primary security challenge for enterprise organizations. Yet, in 2019 some of the most advanced security organizations still struggle to address vulnerability management within their respective enterprises. Time and again, the incidents that shake industries and society involve well-known vulnerabilities that could have been addressed.

Vulnerabilities are more debt than whack-a-mole

Often times, discussion around “why” vulnerability management is still a challenge for businesses leads to talk  of a “whack-a-mole” mentality. This analogy alludes to the old arcade game where a player must attempt to hit a plastic mole when it pops out of a respective hole for a short period of time. The challenge in the game comes when there are so many moles out that the player cannot hit all of them before they drop back into their holes.

It would seem obvious why people working in vulnerability management see this as an accurate metaphor for their roles. New vulnerabilities are consistently being discovered that require both security focused and non-security focused personnel to address the issue. Thus, while attention is being paid to specific issues a new one pops up.

Unfortunately, unlike the whack-a-mole arcade game, when fatigue or other deficiency results in a vulnerability not being addressed, the issue does not simply drop back into the abyss from which it came, rather, the vulnerability remains an issue. In fact, the vulnerability not only remains an issue but those issues begin to pile on top of one another. This would be far more akin to adding additional whack-a-mole arcade systems every time the game is not conquered.

This buildup, when vulnerabilities pile on top of one another to a point where businesses could not possibly address all of them in a timely manner with their current resources, is often referred to as vulnerability debt. This debt grows as organizations fail to address both new and old vulnerabilities in a timely manner. The result is a business operating at an unreasonable and unnecessary level of risk.

This is the situation for a great deal of enterprise environments and is the foundation for why vulnerability management is still a challenge today. The immediate and obvious question is, “How do enterprises erase vulnerability debt?”

Erasing vulnerability debt

As many money managers often state, in order to get out of debt one must first address the reasons they got into debt in the first place. It is no different for businesses that find themselves with vulnerability debt.

In most cases the core issues that cause vulnerability debt can be narrowed down to:

  • A lack of inclusion of security within development.
  • Inefficient technology management.
  • A lack of accurate prioritization of vulnerabilities.
  • Poor communications between disparate teams.
  • A lack of resources

More often than not however, vulnerability debt is a result of a combination of all of these factors. Thus, while many businesses temporarily reduce their vulnerability debt by addressing one of these issues, vulnerability debt will inevitably build again. Thus, in order to wipe out vulnerability debt and ensure it does not return, businesses have to address all of the root causes of their debt.

This barrels down to a relatively logical process:

  1. Discover a vulnerability.
  2. Remediate the vulnerability.
  3. Automate the remediation for other vulnerable systems.
  4. Determine why the vulnerability existed on an application or within a system.
  5. Ensure it is not reintroduced into an environment.
  6. Repeat this process continuously.

Building an action plan

Easier said than done right? If businesses could simply take the direction of a single paragraph and apply to their organization to address the issue of vulnerability management and particularly vulnerability debt, after twenty-six years, everyone would have done it. Unfortunately, this just is not realistic.

What are the immediate next steps to addressing the issue of vulnerability management then?

  1. Develop an action plan to address the entire glut of vulnerability debt within an enterprise
  2. Develop an understanding of the current state of vulnerability management within an enterprise
  3. Develop a target-state operating model for vulnerability management
  4. Determine the gaps between where the enterprise is and where it wants to be with regards to vulnerability management
  5. Design a roadmap for addressing gaps and implementing the target state
  6. Plan to again develop an action plan to address the entire glut of vulnerability debt that builds while implementing the roadmap

This type of action plan requires a great deal of time and focus, however it will payoff in the long run. Unfortunately however, the allure of the immediate satisfaction of tactically targeting current open vulnerabilities masks the need for systemic change. As such, most organizations will continue to fail to address the core of issues and will find themselves in an endless loop of vulnerability debt and massive efforts to address the problem of vulnerability management. It is therefore that after 26 years where the problem has been identified, the issue, in most environments, remains without a remediation.

Cyber security defense is about what you can do, not what you can't.


Some or all of the services described herein may not be permissible for audit clients and their affiliates. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
 
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.