With Cheltenham vying to become cyber capital of the UK, cyber security continues to be a hot topic – and a vital consideration for Gloucestershire organisations. With vulnerability management one specific area of cyber security that local businesses need to consider.
Essentially, it’s an established cyber security management process, which involves identifying, assessing, treating and reporting on any security vulnerabilities in a business environment – with regular vulnerability assessments forming an important part of an organisation’s security posture.
But, is it something all organisations need to invest in? Cheltenham-based Salus Cyber shares its top tips on keeping your vulnerability management fit for purpose with SoGlos…
About the expert – Jason Kalwa, founder and CEO of Salus Cyber
With over 10 years’ experience in cyber security, Jason Kalwa founded Salus Cyber, a certified provider of cyber security services, in 2017. Based in Cheltenham, the cyber hub of the UK, the firm helps businesses across all industry sectors to strengthen their security position and minimise risk across processes, technology and people.
Specialising in penetration testing, Jason has worked with the likes of the UK government, the Ministry of Defence and NATO. Over the course of his career, he has performed multiple tests on complex weapon, access control and RFID systems, as well as unmanned underwater vehicles.
First things first: what is vulnerability management?
Vulnerability assessments are designed to accurately identify any known holes in a business environment – and point out what needs to be done to plug them. It’s a first line of defence and forms a critical part of an organisation’s security posture.
A vulnerability management service provider like Salus Cyber will conduct vulnerability scans for businesses, and deliver a report with actions outlined for remediation.
So, why wouldn’t a company’s vulnerability management be effective?
One of the most consistent issues with vulnerability management is a lack of communication between provider and client. It can be difficult to manage relevant vulnerabilities and security issues if service providers are unable to conclusively evaluate the risks identified within the organisation’s risk areas.
Communication and bespoke services are vital in driving down critical-risk and organisation-specific security issues.
For example, a traditional penetration testing organisation will perform a monthly vulnerability assessment against an organisation’s existing assets. If a consultant fails to flag the presence of something like default web server content – which is an indicator of unmanaged services – to the organisation, then the information security team won’t be able to maintain an up-to-date list of existing network services or remove outdated and unsupported software.
How can good vulnerability management be useful for business decision makers?
The presentation of results is an often-overlooked area of vulnerability management. Clear communication can mean that it’s easier to get senior management buy-in for remediation plans – which cultivates improved security attention.
Good vulnerability management reporting should provide the answers to questions that the board might ask, such as the average time to remediate critical-risk vulnerabilities and the costs incurred. In general, any new critical-risk vulnerabilities found should identify the root causes.
Providers should build reporting around a customisable dashboard with KPIs of vulnerability metrics tailored to each client’s business needs. Simplifying results and extrapolating data to highlight critical points makes the information valuable to senior decision-makers.
How do you know if your vulnerability management is fit for purpose?
Vulnerability management reporting should tell you clearly what risks are, their criticality to the business, and what actions you need to take immediately. It should identify what steps you need to plan over the next twelve months, and what budget you need to do this.
Recognising the most relevant issues, and looking for trends and patterns, can provide valuable insights and help to identify what may be missing from the results and warrant further investigation.
Correctly interpreted vulnerability data needs to feed into corporate risk management processes and shared with information security staff, project teams, administrators, and risk-management teams.
What can businesses do to keep their vulnerability management process effective?
If a business is earnest about maintaining and improving its security posture, it needs to do more than simply scheduling periodic vulnerability scans and updating results.
The vulnerability management process should be subject to regular review to ensure it remains effective in light of changes to the business, information systems, the availability of new technologies and changes to the threat landscape.
It needs to provide a comprehensive and adaptive end-to-end solution that evolves in parallel with the infrastructure that it is protecting, in-line with business needs and strategies.
Evolve, don’t stagnate.
What should an organisation look for in their vulnerability management service provider?
Effective vulnerability management must take a strategic view of the business rather than focusing on each technical issue in isolation. When running vulnerability management programmes, the focus should always be on risk reduction at the business level rather than diving down technical rabbit holes.
The process should feed into the businesses risk management framework and drive down the relevant KPIs in line with the business strategy rather than just sending a list of vulnerabilities to the security team for remediation.
Experience shows that the best results come from developing long term trust-based relationships where a vulnerability management provider works with clients in close partnership, sharing insight and organisation-specific information, offering clients the specialist technical vulnerability management skills that they cannot afford to maintain in-house.
So, what makes a good vulnerability management service provider?
A good service provider will take the results of their client’s vulnerability identification processes, extract the relevant information and deliver it in a form that will feed into their business processes.
The information should drive business and security posture improvements, driving down strategic risks. The method for collecting vulnerability identification information is ultimately unimportant – it’s the interpretation and management of this information, enhancing its value, that’s crucial for a business’s success.
Anyone can scan for known vulnerabilities, but it requires business alignment and keen insight to utilise the data effectively, which is something Salus Cyber prides itself on doing for our clients.