Vulnerability management is absolutely critical to protecting an organization’s IT and cloud infrastructure, systems, or applications from incoming threats. The ability to remediate the most relevant vulnerabilities quickly is the only way to keep your perimeter safe. Yet, security teams struggle with managing vulnerabilities. Why? At the core lies a fundamental communication and collaboration problem.
While security teams are tasked with managing risks associated with vulnerabilities, they do not execute the fixes themselves. Instead, various IT teams, including operations, engineering, infrastructure, or development, handle remediation activities. This separation of duties creates gaps in communication and collaboration among cross-functional teams, which makes identifying, prioritizing, and remediating vulnerabilities more difficult.
There are process tweaks and automation tools and technologies that can streamline the process and support a more effective vulnerability management program. But first let’s delve into the problem a bit more.
The Identification-Remediation Gap Defined
Investments in cybersecurity programs have enabled security teams, armed with sophisticated solutions, to excel in pinpointing vulnerabilities across digital landscapes. However, the seamless transition from identification to resolution remains elusive because the teams that detect the flaws are not the ones implementing the fixes.
Security teams must clearly communicate vulnerability findings as well as remediation requirements, such as priority order, patch installation, system updates, or code changes. A breakdown in communication between security and remediation teams could lead to a gap between vulnerability identification and remediation.
The identification-remediation gap isn't merely a procedural hiccup; it manifests as inefficiencies and perilous delays in responding to security threats. The consequences of this gap reverberate across organizations, leaving them susceptible to potentially disastrous cyber-attacks and data breaches.
Passing the Baton: Organizational Dynamics and Communications Challenges
Documenting information about identified vulnerabilities is an important first step in vulnerability management, but the handover of vulnerability data and remediation requirements often leads to disjointed efforts rather than a unified response. Collaboration and communication between teams, even within the security domain, breaks down as a result.
Behind technology lies the human factor. Understanding organizational dynamics can uncover a root cause of weaknesses in a vulnerability management program.
Every IT team within an organization, whether operations, engineering, infrastructure, or development, focuses on ensuring optimal technology performance, availability, quality, and innovation. Additional work required to perform vulnerability remediation may disrupt their daily work or project deadlines, leading to reluctance to collaborate.
A shortage of staff to perform the work also impacts collaboration. Operations, engineering, infrastructure, or development teams are often overburdened and fulfilling the duties of multiple individuals. Clear expectations, communicated from the security team and fully understood by the remediation team, can help balance daily work with remediation activities.
Language barriers between security and remediation teams can create communication gaps, resulting in confusion or delays in the vulnerability management process. Security teams using technical jargon and complex vulnerability information focused on the problem may not resonate with the practical understanding of risk held by remediation teams, who are more concerned with solutions. This leads to additional communication gaps or disjointed efforts toward remediation.
As an example, not all discovered vulnerabilities pose an equal amount of risk. Presenting a list of vulnerabilities without context often leaves remediation teams unaware of the criticality, severity, or urgency of the vulnerabilities.
With over 25 thousand new vulnerabilities published each year, understanding where to focus efforts can be overwhelming. Complex vulnerabilities, especially "zero days" with limited available information, can further complicate communication and delay response efforts.
To overcome this, security teams must effectively communicate prioritized remediation items to the relevant fixers. Moving away from discussing Common Vulnerabilities and Exposures (CVEs) to prioritized remediation tasks clarifies expectations and aligns all teams involved.
Having a common understanding of risk and a culture of security can reduce points of organizational conflict. An organization’s leadership team can foster stronger cross-team collaboration and present a broader view of the organization’s risk posture. Strong collaboration is vital to the success of a vulnerability management program, and embracing technological solutions can streamline the effort from identification to remediation.
Cohesive Vulnerability Management: Leveraging Technology
Considering the People, Process, Technology (PPT) framework, many organizations have focused on people and processes but have neglected to integrate technological solutions, such as automation and orchestration tools, into vulnerability management programs.
Integrating security scanning tools with remediation workflows creates a seamless, efficient response mechanism. These solutions can also help bridge staffing gaps, whether due to a junior team member responsible for remediation or team members juggling multiple roles.
Automation can be best leveraged with predictable and repeatable remediation activities such as workflows, whose logic can be driven by vulnerability data and measurable business context. These solutions can also drive communication through a single, common set of data used by all teams involved in the process.
It’s a Matter of Perspective
As security and remediation teams strive for better communication, clearer processes, and greater efficiency, there is an opportunity to shift the attitude from security being an additional task to viewing it from the perspective of performance or quality.
Understanding that remediation teams have a “day job”, and taking into account what that entails, can foster smoother collaboration. Infrastructure, operations, engineering, and development teams routinely conduct usability and quality checks as part of their daily work. Making a shift to think of vulnerabilities as another “bug” that could affect performance integrates vulnerability management into the regular course of business.
Effective communication, predictable processes, and technology solutions can narrow the gap from identification to remediation in vulnerability management. These components support teams in understanding their role in risk management for the organization and elevate the importance of security from an afterthought to a necessary component of the overall business strategy.
Ravid Circus is co-founder and Chief Product Officer at Seemplicity. Ravid has 20+ years of experience in translating risk management processes to technology. As former VP of Customer Success and VP Products at Skybox Security, Ravid has a unique perspective on cyber security management and hands-on experience with the technology required to support it. As a security practitioner at heart, Ravid understands the customer’s technology and operational challenges around risk reduction. His years of deploying customer care initiatives at Credit Suisse, Citi and Chase earned him a reputation as a seasoned security technologist.
