Often times, discussion around “why” vulnerability management is still a challenge for businesses leads to talk of a “whack-a-mole” mentality.
It would seem improbable that nearly twenty-six years after the development of vulnerability scanners, vulnerability management would remain a primary security challenge for enterprise organizations. Yet, in 2019 some of the most advanced security organizations still struggle to address vulnerability management within their respective enterprises. Time and again, the incidents that shake industries and society involve well-known vulnerabilities that could have been addressed.
Often times, discussion around “why” vulnerability management is still a challenge for businesses leads to talk of a “whack-a-mole” mentality. This analogy alludes to the old arcade game where a player must attempt to hit a plastic mole when it pops out of a respective hole for a short period of time. The challenge in the game comes when there are so many moles out that the player cannot hit all of them before they drop back into their holes.
It would seem obvious why people working in vulnerability management see this as an accurate metaphor for their roles. New vulnerabilities are consistently being discovered that require both security focused and non-security focused personnel to address the issue. Thus, while attention is being paid to specific issues a new one pops up.
Unfortunately, unlike the whack-a-mole arcade game, when fatigue or other deficiency results in a vulnerability not being addressed, the issue does not simply drop back into the abyss from which it came, rather, the vulnerability remains an issue. In fact, the vulnerability not only remains an issue but those issues begin to pile on top of one another. This would be far more akin to adding additional whack-a-mole arcade systems every time the game is not conquered.
This buildup, when vulnerabilities pile on top of one another to a point where businesses could not possibly address all of them in a timely manner with their current resources, is often referred to as vulnerability debt. This debt grows as organizations fail to address both new and old vulnerabilities in a timely manner. The result is a business operating at an unreasonable and unnecessary level of risk.
This is the situation for a great deal of enterprise environments and is the foundation for why vulnerability management is still a challenge today. The immediate and obvious question is, “How do enterprises erase vulnerability debt?”
As many money managers often state, in order to get out of debt one must first address the reasons they got into debt in the first place. It is no different for businesses that find themselves with vulnerability debt.
In most cases the core issues that cause vulnerability debt can be narrowed down to:
More often than not however, vulnerability debt is a result of a combination of all of these factors. Thus, while many businesses temporarily reduce their vulnerability debt by addressing one of these issues, vulnerability debt will inevitably build again. Thus, in order to wipe out vulnerability debt and ensure it does not return, businesses have to address all of the root causes of their debt.
This barrels down to a relatively logical process:
Easier said than done right? If businesses could simply take the direction of a single paragraph and apply to their organization to address the issue of vulnerability management and particularly vulnerability debt, after twenty-six years, everyone would have done it. Unfortunately, this just is not realistic.
What are the immediate next steps to addressing the issue of vulnerability management then?
This type of action plan requires a great deal of time and focus, however it will payoff in the long run. Unfortunately however, the allure of the immediate satisfaction of tactically targeting current open vulnerabilities masks the need for systemic change. As such, most organizations will continue to fail to address the core of issues and will find themselves in an endless loop of vulnerability debt and massive efforts to address the problem of vulnerability management. It is therefore that after 26 years where the problem has been identified, the issue, in most environments, remains without a remediation.
Cyber security defense is about what you can do, not what you can't.